On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote: > In BSS transition management request, it is possible that vendor specific IEs > are included after the candidate list. In this case the candidates count is > incremented although the candidate list is already over, which may result in > accessing uninitialized data. This is obviously a bug, but I don't see where the accessing of uninitialized data would occur in the traditional sense of "uninitialized". The wpa_s->wnm_neighbor_report_elements array is initialized to all zeros (os_calloc) and an extra IE in the end of the frame would result in an extra neighbor list entry due to the count incremented, but that entry would be all zeros (for BSSID 00:00:00:00:00:00 and without any extra information). -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap