From 27d698a0c073c41cd99f2a2493ee479377bd886f Mon Sep 17 00:00:00 2001
From: James Prestwood <prestwoj@gmail.com>
Date: Mon, 21 Oct 2019 14:59:17 -0700
Subject: [PATCH] sae: fix incorrect length adjustment

The commit/confirm processing was incorrectly subtracting 2 from
the length when they should be subtracting 6. As with the other
similar change, the length is validated with mpdu_validate so
subtracting 6 will not cause an overflow.
---
 src/sae.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sae.c b/src/sae.c
index da121eee..cc920c9a 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -1040,10 +1040,10 @@ static int sae_rx_authenticate(struct auth_proto *ap,
 	switch (L_LE16_TO_CPU(auth->transaction_sequence)) {
 	case SAE_STATE_COMMITTED:
 		return sae_process_commit(sm, hdr->address_2, auth->ies,
-						len - 2);
+						len - 6);
 	case SAE_STATE_CONFIRMED:
 		return sae_process_confirm(sm, hdr->address_2, auth->ies,
-						len - 2);
+						len - 6);
 	default:
 		l_error("invalid transaction sequence %u",
 				L_LE16_TO_CPU(auth->transaction_sequence));