Fix bug in eap_ttls_avp_encapsulate() when >248 bytes are encapsulated.

src pointer wasn't being advanced, so the first 248 bytes were duplicated
in place of the remainder of the message.

diff --git a/libeap/src/eap_peer/eap_ttls.c b/libeap/src/eap_peer/eap_ttls.c
index 855ce49..ef966cb 100644 (file)
--- a/libeap/src/eap_peer/eap_ttls.c
+++ b/libeap/src/eap_peer/eap_ttls.c
@@ -288,6 +288,7 @@ static int eap_ttls_avp_vsa_encapsulate(struct wpabuf **resp, u32 vendor,
                                       avp_size);
                os_memcpy(pos, src, avp_size);
                pos += avp_size;
+               src += avp_size;
                AVP_PAD(avp, pos);
                wpabuf_put(msg, pos - avp);
                avp = pos;