Fix LCI request subelement processing

Commit 4a742011abca8a9c185cc40d17783cfa4c9af757 ('wpa_supplicant: Handle
LCI request') introduced LCI request parsing in a manner that
incremented the request pointer by four within
wpas_rrm_build_lci_report() without decrementing len correspondingly.
This could potentially result in get_ie() reading four octets beyond the
buffer if a corrupted request is received. This would be applicable only
if the LCI reporting was enabled explicitly ("SET LCI ..." control
interface command).

Fix this by updating the len variable to match the request pointer
changes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 214b9b346a02ca81230ab516c29b81ec626f14a9..bbb763e87a20ab9c2c7f0d2e98ef70078b2a1046 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -6565,6 +6565,7 @@ static struct wpabuf * wpas_rrm_build_lci_report(struct wpa_supplicant *wpa_s,
        request++;
        type = *request++;
        subject = *request++;
+       len -= 4;
 
        wpa_printf(MSG_DEBUG,
                   "Measurement request token %u type %u location subject %u",