wpa_supplicant: Check length when building ext_capability in assoc_cb

When building wpa_ie in wpas_start_assoc_cb() with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 88142675ea71ff2fb820fd8b93f5dac5e8e86272..00ef3a4b5e1842873f8185099a01688aaf488d02 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2572,7 +2572,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
                int ext_capab_len;
                ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
                                                     sizeof(ext_capab));
-               if (ext_capab_len > 0) {
+               if (ext_capab_len > 0 &&
+                   wpa_ie_len + ext_capab_len <= max_wpa_ie_len) {
                        u8 *pos = wpa_ie;
                        if (wpa_ie_len > 0 && pos[0] == WLAN_EID_RSN)
                                pos += 2 + pos[1];