[PATCH 3/9] WNM: Fix candidates count in BSS Transition Management request

Peer, Ilan ilan.peer at intel.com
Sat Mar 5 23:03:46 PST 2016


> -----Original Message-----
> From: Jouni Malinen [mailto:j at w1.fi]
> Sent: Thursday, March 03, 2016 17:28
> To: Peer, Ilan
> Cc: hostap at lists.infradead.org; Stern, Avraham
> Subject: Re: [PATCH 3/9] WNM: Fix candidates count in BSS Transition
> Management request
> 
> On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote:
> > In BSS transition management request, it is possible that vendor
> > specific IEs are included after the candidate list. In this case the
> > candidates count is incremented although the candidate list is already
> > over, which may result in accessing uninitialized data.
> 
> This is obviously a bug, but I don't see where the accessing of uninitialized
> data would occur in the traditional sense of "uninitialized". The wpa_s-
> >wnm_neighbor_report_elements array is initialized to all zeros (os_calloc)
> and an extra IE in the end of the frame would result in an extra neighbor list
> entry due to the count incremented, but that entry would be all zeros (for
> BSSID
> 00:00:00:00:00:00 and without any extra information).
> 

Agree. This was an inadequate choice of words :)

Ilan.



More information about the Hostap mailing list