aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorBob Copeland <me@bobcopeland.com>2018-11-23 15:15:42 (GMT)
committerJouni Malinen <j@w1.fi>2018-11-24 11:30:28 (GMT)
commit25778502d5ec45e0dc936a0c8e294c4a3a6c58c4 (patch)
treeedbf5fcecf23661b243fb8ec5a8c4b2dd9e93e57 /wpa_supplicant
parent2b7f46f1c7ee9f8e21ca90efc7f2a77c8c36c26f (diff)
downloadhostap-25778502d5ec45e0dc936a0c8e294c4a3a6c58c4.zip
hostap-25778502d5ec45e0dc936a0c8e294c4a3a6c58c4.tar.gz
hostap-25778502d5ec45e0dc936a0c8e294c4a3a6c58c4.tar.bz2
mesh: Fix off-by-one in buf length calculation
The maximum size of a Mesh Peering Management element in the case of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by inspection. The other buffer components seem to use large enough extra room in their allocations to avoid hitting issues with the full buffer size even without this fix. Signed-off-by: Bob Copeland <bobcopeland@fb.com>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/mesh_mpm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index d166cfe..cbb1cd3 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
2 + (32 - 8) +
2 + 32 + /* mesh ID */
2 + 7 + /* mesh config */
- 2 + 23 + /* peering management */
+ 2 + 24 + /* peering management */
2 + 96 + /* AMPE */
2 + 16; /* MIC */
#ifdef CONFIG_IEEE80211N