From 5ebe8c8179b59563fceb59a3b82c9cb02f7a40dd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 5 Feb 2013 17:40:09 +0200
Subject: [PATCH] HS 2.0: Fix IE buffer length for extra scan IEs

The HS 2.0 Indication element is 7 (not 6) octets. The previous
implementation could result in wpabuf validation code stopping the
program if HS 2.0 was enabled without Interworking or P2P (which would
have created a large enough buffer to avoid hitting this) being enable.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wpa_supplicant/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
index 25a9ef821..19405a453 100644
--- a/wpa_supplicant/scan.c
+++ b/wpa_supplicant/scan.c
@@ -735,7 +735,7 @@ ssid_list_set:
 	extra_ie = wpa_supplicant_extra_ies(wpa_s);
 
 #ifdef CONFIG_HS20
-	if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 6) == 0)
+	if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 7) == 0)
 		wpas_hs20_add_indication(extra_ie);
 #endif /* CONFIG_HS20 */