Fix ieee802_11_defrag_mle_subelem() check on remaining buffer

The end pointer moves as well when cutting out a subelement
header. While the previous version checked against the original full
buffer, it is more accurate to check against the updated end of the
buffer.

Signed-off-by: Bruno Kremp <bruno.kremp@sony.com>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 5d1e02f81e1ec53ec58f2b3221ef98fe52f27397..5bcab11df7ccc0fe7c6faed1ae4d1b1b4bbadd44 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -3524,6 +3524,7 @@ ssize_t ieee802_11_defrag_mle_subelem(struct wpabuf *mlbuf,
                        return -1;
 
                os_memmove(pos, pos + 2, end - (pos + 2));
+               end -= 2;
                pos += elen - 2;
                subelem_len += elen - 2;