Fix EAP-FAST PAC file writer to avoid crash with multiple PACs

One of the pointers to the PAC buffer was not updated after realloc
and if the realloc ended up returning new pointer, the *pos pointer
was still pointing at the old location (i.e., freed memory at
this point).

src/eap_peer/eap_fast_pac.c

@@ -497,6 +497,7 @@ static void eap_fast_write(char **buf, char **pos, size_t *buf_len,
 			*buf = NULL;
 			return;
 		}
+		*pos = nbuf + (*pos - *buf);
 		*buf = nbuf;
 		*buf_len += need;
 	}