mesh: Fix off-by-one in buf length calculation

The maximum size of a Mesh Peering Management element in the case
of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the
two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by
inspection.

The other buffer components seem to use large enough extra room in their
allocations to avoid hitting issues with the full buffer size even
without this fix.

Signed-off-by: Bob Copeland <bobcopeland@fb.com>

diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index d166cfeec990b70661cf4e87b2848af5f929ac59..cbb1cd36ff7a0ce2fea826fd492597e009b770bf 100644 (file)
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
                  2 + (32 - 8) +
                  2 + 32 + /* mesh ID */
                  2 + 7 +  /* mesh config */
-                 2 + 23 + /* peering management */
+                 2 + 24 + /* peering management */
                  2 + 96 + /* AMPE */
                  2 + 16;  /* MIC */
 #ifdef CONFIG_IEEE80211N