From: Avraham Stern <avraham.stern@xxxxxxxxx> In BSS transition management request, it is possible that vendor specific IEs are included after the candidate list. In this case the candidates count is incremented although the candidate list is already over, which may result in accessing uninitialized data. Fix that by incrementing the candidates count only if the IE ID is the neighbor report EID. Signed-off-by: Avraham Stern <avraham.stern@xxxxxxxxx> --- wpa_supplicant/wnm_sta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 4da9124..b8f717e 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -1115,10 +1115,10 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s, rep = &wpa_s->wnm_neighbor_report_elements[ wpa_s->wnm_num_neighbor_report]; wnm_parse_neighbor_report(wpa_s, pos, len, rep); + wpa_s->wnm_num_neighbor_report++; } pos += len; - wpa_s->wnm_num_neighbor_report++; } wnm_sort_cand_list(wpa_s); wnm_dump_cand_list(wpa_s); -- 1.9.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap