RRM: Fix the parsing of the Extended Request subelement in beacon req

The Extended Request subelement of a Beacon Request is expected to also
include the Requested Element ID field (that identifies the Element ID
used to indicated extended elements) which needs to be skipped to get
the Requested Element ID Extensions.

Fixes: 2d4f905214b7 ("RRM: Add support for including extended ID elements in beacon report")
Signed-off-by: Ilan Peer <ilan.peer@intel.com>

diff --git a/wpa_supplicant/rrm.c b/wpa_supplicant/rrm.c
index 2aaf7d35f0867587740d74ba89f6b6c01f540858..343f450d837dd26566368ae613d3a4c7d13ea286 100644 (file)
--- a/wpa_supplicant/rrm.c
+++ b/wpa_supplicant/rrm.c
@@ -1117,6 +1117,24 @@ static int wpas_rm_handle_beacon_req_subelem(struct wpa_supplicant *wpa_s,
                        return -1;
                }
 
+               if (sid == WLAN_BEACON_REQUEST_SUBELEM_EXT_REQUEST) {
+                       if (slen < 2) {
+                               wpa_printf(MSG_DEBUG,
+                                          "Invalid extended request");
+                               return -1;
+                       }
+                       if (subelem[0] != WLAN_EID_EXTENSION) {
+                               wpa_printf(MSG_DEBUG,
+                                          "Skip unknown Requested Element ID %u in Extended Request subelement",
+                                          subelem[0]);
+                               break;
+                       }
+
+                       /* Skip the Requested Element ID field */
+                       subelem++;
+                       slen--;
+               }
+
                if ((sid == WLAN_BEACON_REQUEST_SUBELEM_REQUEST &&
                     data->eids) ||
                    (sid == WLAN_BEACON_REQUEST_SUBELEM_EXT_REQUEST &&