Index: net80211/ieee80211_wireless.c
===================================================================
--- net80211/ieee80211_wireless.c	(revision 1600)
+++ net80211/ieee80211_wireless.c	(working copy)
@@ -1425,6 +1425,8 @@
 	memcpy(p, leader, leader_len);
 	bufsize -= leader_len;
 	p += leader_len;
+	if (bufsize < ielen)
+		return 0;
 	for (i = 0; i < ielen && bufsize > 2; i++)
 		p += sprintf(p, "%02x", ie[i]);
 	return (i == ielen ? p - (u_int8_t *)buf : 0);
@@ -1446,7 +1448,8 @@
 	char *current_ev = req->current_ev;
 	char *end_buf = req->end_buf;
 #if WIRELESS_EXT > 14
-	char buf[64 * 2 + 30];
+#define MAX_IE_LENGTH 64 * 2 + 30
+	char buf[MAX_IE_LENGTH];
 #endif
 	struct iw_event iwe;
 	char *current_val;
@@ -1548,6 +1551,8 @@
 	if (se->se_rsn_ie != NULL) {
 #ifdef IWEVGENIE
 		memset(&iwe, 0, sizeof(iwe));
+		if ((se->se_rsn_ie[1] + 2) > MAX_IE_LENGTH)
+			return;
 		memcpy(buf, se->se_rsn_ie, se->se_rsn_ie[1] + 2);
 		iwe.cmd = IWEVGENIE;
 		iwe.u.data.length = se->se_rsn_ie[1] + 2;
@@ -1568,6 +1573,8 @@
 	if (se->se_wpa_ie != NULL) {
 #ifdef IWEVGENIE
 		memset(&iwe, 0, sizeof(iwe));
+		if ((se->se_wpa_ie[1] + 2) > MAX_IE_LENGTH)
+			return;
 		memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);
 		iwe.cmd = IWEVGENIE;
 		iwe.u.data.length = se->se_wpa_ie[1] + 2;