From bc9e70f9cd58f716b4b84202ad058e5469f83eee Mon Sep 17 00:00:00 2001
From: James Prestwood <james.prestwood@linux.intel.com>
Date: Fri, 1 Feb 2019 14:34:04 -0800
Subject: [PATCH] sae: fix length check and commit buffer size

A length check was still assuming the 256 bit ECC group. This
was updated to scale with the group. The commit buffer was also
not properly sized. This was changed to allow for the largest
ECC group supported.
---
 src/sae.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/sae.c b/src/sae.c
index ea980c53..3f38e998 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -435,7 +435,8 @@ static void sae_process_commit(struct sae_sm *sm, const uint8_t *from,
 		goto reject;
 	}
 
-	if (len < 98) {
+	/* Scalar + Point + group */
+	if (len < nbytes + nbytes * 2 + 2) {
 		l_error("bad packet length");
 		goto reject;
 	}
@@ -588,8 +589,8 @@ reject:
 static void sae_send_commit(struct sae_sm *sm, bool retry)
 {
 	struct handshake_state *hs = sm->handshake;
-	/* regular commit + possible 256 byte token */
-	uint8_t commit[358];
+	/* regular commit + possible 256 byte token + 6 bytes header */
+	uint8_t commit[L_ECC_SCALAR_MAX_BYTES + L_ECC_POINT_MAX_BYTES + 262];
 	size_t len;
 
 	if (!sae_build_commit(sm, hs->spa, hs->aa, commit, &len, retry))