On Mon, Feb 15, 2016 at 04:53:41PM +0200, Ilan Peer wrote: > Add the transition candidate list to BSS transition response. > The candidates preference is set using the regular wpa_supplicant > BSS selection logic. > If the BSS transition request is rejected and updated scan results > are not available, the list is not added. > +static int wnm_nei_rep_add_bss(struct wpa_supplicant *wpa_s, > + ie = wpa_bss_get_ie(bss, WLAN_EID_VHT_OPERATION); > + if (ie) { > + vht_oper = (struct ieee80211_vht_operation *)(ie + 2); > + > + switch (vht_oper->vht_op_info_chwidth) { This could result in buffer overflow since ie[1] was not checked to be large enough. I'm just noting this here, but there are similar buffer overflow through number of these patches. Whenever using information received from an external entity, all the length fields need to be checked to be valid before reading data. > + case 2: > + vht = VHT_CHANWIDTH_80MHZ; > + break; > + case 3: > + vht = VHT_CHANWIDTH_160MHZ; > + break; > + case 4: > + vht = VHT_CHANWIDTH_80P80MHZ; > + break; > + default: > + vht = 0; > + } > + } > + > + if (ieee80211_freq_to_channel_ext(bss->freq, sec_chan, vht, &op_class, > + &chan) == NUM_HOSTAPD_MODES) { Why is that conversion from vht_oper->vht_op_info_chwidth to vht used here when the Channel Width field in the VHT Operation element is using those VHT_CHANWIDTH_* values? The values 2, 3, and 4 here do not match the values used in this field and the correct thing to do would seem to be simply to set vht = vht_oper->vht_op_info_chwidth. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap