> -----Original Message----- > From: Jouni Malinen [mailto:j@xxxxx] > Sent: Thursday, March 03, 2016 17:28 > To: Peer, Ilan > Cc: hostap@xxxxxxxxxxxxxxxxxxx; Stern, Avraham > Subject: Re: [PATCH 3/9] WNM: Fix candidates count in BSS Transition > Management request > > On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote: > > In BSS transition management request, it is possible that vendor > > specific IEs are included after the candidate list. In this case the > > candidates count is incremented although the candidate list is already > > over, which may result in accessing uninitialized data. > > This is obviously a bug, but I don't see where the accessing of uninitialized > data would occur in the traditional sense of "uninitialized". The wpa_s- > >wnm_neighbor_report_elements array is initialized to all zeros (os_calloc) > and an extra IE in the end of the frame would result in an extra neighbor list > entry due to the count incremented, but that entry would be all zeros (for > BSSID > 00:00:00:00:00:00 and without any extra information). > Agree. This was an inadequate choice of words :) Ilan. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap