From fba5d9650a10cc4af8c58c9c49b18373f7fa333a Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Tue, 29 Dec 2009 14:15:51 -0800
Subject: [PATCH] Fix length checks for WPA and RSN IEs

---
 plugins/supplicant.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/supplicant.c b/plugins/supplicant.c
index 469e861..8ae4b67 100644
--- a/plugins/supplicant.c
+++ b/plugins/supplicant.c
@@ -1332,7 +1332,7 @@ static void extract_wpaie(DBusMessageIter *value,
 	dbus_message_iter_recurse(value, &array);
 	dbus_message_iter_get_fixed_array(&array, &ie, &ie_len);
 
-	if (ie_len > 0) {
+	if (ie_len > 6) {
 		result->has_wpa = TRUE;
 		extract_rsn(result, ie + 6, ie_len - 6);
 	}
@@ -1348,7 +1348,7 @@ static void extract_rsnie(DBusMessageIter *value,
 	dbus_message_iter_recurse(value, &array);
 	dbus_message_iter_get_fixed_array(&array, &ie, &ie_len);
 
-	if (ie_len > 0) {
+	if (ie_len > 2) {
 		result->has_rsn = TRUE;
 		extract_rsn(result, ie + 2, ie_len - 2);
 	}
-- 
2.7.4