On Fri, Aug 18, 2023 at 03:16:39PM +0800, Allen Ye wrote:
> Fix rnr ie length when no need to report bss. If we don't have content in
> TBTT then don't need to change the length of the ie (*size_offset).
> diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
> @@ -7484,8 +7484,10 @@ static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
> start = i;
> - *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
> - *size_offset = (eid - size_offset) - 1;
> + if (tbtt_count != 0) {
> + *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
> + *size_offset = (eid - size_offset) - 1;
> + }
That tbtt_count - 1 part looks obviously wrong for tbtt_count == 0, but
does this actually fix the full issue here? The eid pointer has already
been advanced by four bytes at this point, i.e., the fixed fields of the
Neighbor AP Information field has already been written here (with the
first octet not explicitly written, but it would likely be initialized
to 0). Those four bytes would remain here and the next iteration of the
while loop might add more entries after this with another set of those
four bytes. And that would seem to result in invalid information.
In addition to making those two operations conditional on tbtt_count >
0, should this also restore eid and len back to their previous values
(i.e., something like eid -= RNR_TBTT_HEADER_LEN; len -=
RNR_TBTT_HEADER_LEN;)?
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
