Cumulative patch from commit 6590b6400f73762fc6a53ad6ca05a73246cc5e54
6590b64 EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
49d13df P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
1851e17 dbus: Clean up P2P group vendor ext getter
137ff33 HS 2.0R2: Fix OSEN IE parsing for in cipher setup (CID 68132)
2703fb4 WNM: Use cleaner way of generating pointer to a field (CID 68100)
da995b2 WNM: Use cleaner way of generating pointer to a field (CID 68099)
062833c GAS server: Fix request frame length validation (CID 68098)
5ce3ae4 HT: Use cleaner way of generating pointer to a field (CID 68097)
fb5d417 P2P: Use cleaner way of generating pointer to a field (CID 68096)
35c0318 P2P: Use cleaner way of generating pointer to a field (CID 68095)
e987c70 dbus: Add explicit break statements to switch-default
6446420 dbus: Initialize temporary entry properly (CID 62877)
70d9537 Use clearer way of getting pointer to a frame (CID 62835)
c02f35f WPS: Clean up indentation level (CID 68109)
0e87e79 Fix HS20_GET_NAI_HOME_REALM_LIST hex length check (CID 68108)
beb9e11 dbus: Avoid theoretical memory leaks with duplicated dict entries
ceb4cd8 dbus: Fix a potential double-free in on error path (CID 62880)
68e2b88 TNC: Fix minor memory leak (CID 62848)
5519241 GAS: Limit TX wait time based on driver maximum value
a0ab408 P2P: Fix SD and DevDisc to limit maximum wait time per driver support
Change-Id: If9bdd7b9961c775e39ce1a8fb58220052434b395
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c
index 8435b63..f0c4364 100644
--- a/wpa_supplicant/wifi_display.c
+++ b/wpa_supplicant/wifi_display.c
@@ -276,6 +276,8 @@
while (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN < buflen) {
elen = WPA_GET_BE16(buf + i + 1);
+ if (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN + elen > buflen)
+ break; /* truncated subelement */
if (buf[i] == id) {
subelem = os_zalloc(2 * elen + 1);