wsc: memory fixes for vendor extension handling

src/i1905_wsc.c

@@ -1110,33 +1110,31 @@ int wsc_process_m2(uint8_t *m1, uint16_t m1_size, void *key,
 					uint8_t *end_of_ext;
 					uint8_t subelem;
 					uint8_t len;
+					uint8_t *tmp_p;
+
+					tmp_p = p;
 
 					/* May be one or more subelements (Section 12 of WSC spec) */
 					end_of_ext = p + attr_len;
-					memcpy(id, p, sizeof(id));
-					p += 3;
-					attr_len -= 3;
+					memcpy(id, tmp_p, sizeof(id));
+					tmp_p += 3;
 
 					if (id[0] == WFA_VENDOR_ID_1
 							&& id[1] == WFA_VENDOR_ID_2
 							&& id[2] == WFA_VENDOR_ID_3) {
-						while (p < end_of_ext) {
-							memcpy(&subelem, p, 1);
-							p += 1;
-							attr_len -= 1;
+						while (tmp_p < end_of_ext) {
+							memcpy(&subelem, tmp_p, 1);
+							tmp_p += 1;
 
-							memcpy(&len, p, 1);
-							p += 1;
-							attr_len -= 1;
+							memcpy(&len, tmp_p, 1);
+							tmp_p += 1;
 
 							if (subelem == WFA_ELEM_MAP) {
-								// Map extension subelement will be 1 byte
-								memcpy(&mapie, p, 1);
-								p += 1;
-								attr_len -= 1;
+								/* Map extension subelement will be 1 byte */
+								memcpy(&mapie, tmp_p, 1);
+								tmp_p += 1;
 							} else {
-								p += len;
-								attr_len -= len;
+								tmp_p += len;
 							}
 
 						}
@@ -1159,7 +1157,7 @@ int wsc_process_m2(uint8_t *m1, uint16_t m1_size, void *key,
 						} else {
 							uint8_t *tmp;
 
-							tmp = realloc(*ext, attr_len + 4);
+							tmp = realloc(*ext, *extlen + attr_len + 4);
 							if (!tmp)
 								break;
 
@@ -1168,8 +1166,8 @@ int wsc_process_m2(uint8_t *m1, uint16_t m1_size, void *key,
 						ext_ptr = *ext + start;
 						bufptr_put_be16(ext_ptr, attr_type);
 						bufptr_put_be16(ext_ptr, attr_len);
-
-						memcpy(ext_ptr, (p - 3), attr_len);
+						memcpy(ext_ptr, p, attr_len);
+						tmp_p  += attr_len;
 						*extlen += attr_len + 4;
 					}
 				}