[PATCH 3/9] WNM: Fix candidates count in BSS Transition Management request
Ilan Peer
ilan.peer at intel.com
Mon Feb 29 04:29:59 PST 2016
From: Avraham Stern <avraham.stern at intel.com>
In BSS transition management request, it is possible that vendor specific IEs
are included after the candidate list. In this case the candidates count is
incremented although the candidate list is already over, which may result in
accessing uninitialized data.
Fix that by incrementing the candidates count only if the IE ID is the neighbor
report EID.
Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
wpa_supplicant/wnm_sta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 4da9124..b8f717e 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -1115,10 +1115,10 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
rep = &wpa_s->wnm_neighbor_report_elements[
wpa_s->wnm_num_neighbor_report];
wnm_parse_neighbor_report(wpa_s, pos, len, rep);
+ wpa_s->wnm_num_neighbor_report++;
}
pos += len;
- wpa_s->wnm_num_neighbor_report++;
}
wnm_sort_cand_list(wpa_s);
wnm_dump_cand_list(wpa_s);
--
1.9.1
More information about the Hostap
mailing list