path: root/wpa_supplicant/sme.c
diff options
authorJouni Malinen <j@w1.fi>2014-06-07 13:33:28 (GMT)
committerJouni Malinen <j@w1.fi>2014-06-07 13:35:30 (GMT)
commit0bbaa9b93f76025e81c3976bebcc00bf1660cfec (patch)
tree4153258afb424b40e429bec44ac64bf3288d191a /wpa_supplicant/sme.c
parent9c6c5589e043a517f3670ebcd3f499f46457bb0d (diff)
Validate driver extended capabilities length against buffer length
Prepare for new extended capabilities bits by checking that the local buffer is large enough to contain all the bits the driver requests. The existing buffers are large enough to include anything defined until now, but it would be possible to add more definitions in the future, so increase them a bit as well to make this more future proof. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/sme.c')
1 files changed, 3 insertions, 2 deletions
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 9b6667a..82aef0d 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -151,7 +151,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_IEEE80211R */
int i, bssid_changed;
struct wpabuf *resp = NULL;
- u8 ext_capab[10];
+ u8 ext_capab[18];
int ext_capab_len;
if (bss == NULL) {
@@ -371,7 +371,8 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_HS20 */
- ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab);
+ ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
+ sizeof(ext_capab));
if (ext_capab_len > 0) {
u8 *pos = wpa_s->sme.assoc_req_ie;
if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)