[PATCH 3/9] WNM: Fix candidates count in BSS Transition Management request

Jouni Malinen j at w1.fi
Thu Mar 3 07:27:48 PST 2016

On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote:
> In BSS transition management request, it is possible that vendor specific IEs
> are included after the candidate list. In this case the candidates count is
> incremented although the candidate list is already over, which may result in
> accessing uninitialized data.

This is obviously a bug, but I don't see where the accessing of
uninitialized data would occur in the traditional sense of
"uninitialized". The wpa_s->wnm_neighbor_report_elements array is
initialized to all zeros (os_calloc) and an extra IE in the end of the
frame would result in an extra neighbor list entry due to the count
incremented, but that entry would be all zeros (for BSSID
00:00:00:00:00:00 and without any extra information).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list