TDLS: Fix checks on prohibit bits

ext_capab/ext_capab_len do not include ID and Length so no extra +2
offset should be used. This fixes a regression from commit
faf427645aa79a32ebd8093ff676abfc9d36e951 ('TDLS: Use proper IE parsing
routine for non-EAPOL-Key cases') that replaced the IE parser without
noticing the difference in the pointer offset.

Signed-off-by: Flavia Vanetti <flavia.vanetti@ceva-dsp.com>

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index e4241681842ac5a756e5d9d34f53b37688fe80f9..f57311e8bfab7e08c4a84e16b8870dabb55a2856 100644 (file)
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -2878,14 +2878,14 @@ void wpa_tdls_disassoc(struct wpa_sm *sm)
 static int wpa_tdls_prohibited(struct ieee802_11_elems *elems)
 {
        /* bit 38 - TDLS Prohibited */
-       return !!(elems->ext_capab[2 + 4] & 0x40);
+       return !!(elems->ext_capab[4] & 0x40);
 }
 
 
 static int wpa_tdls_chan_switch_prohibited(struct ieee802_11_elems *elems)
 {
        /* bit 39 - TDLS Channel Switch Prohibited */
-       return !!(elems->ext_capab[2 + 4] & 0x80);
+       return !!(elems->ext_capab[4] & 0x80);
 }
 
 
@@ -2898,7 +2898,7 @@ void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
 
        if (ies == NULL ||
            ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
-           elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
+           elems.ext_capab == NULL || elems.ext_capab_len < 5)
                return;
 
        sm->tdls_prohibited = wpa_tdls_prohibited(&elems);
@@ -2917,7 +2917,7 @@ void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len)
 
        if (ies == NULL ||
            ieee802_11_parse_elems(ies, len, &elems, 0) == ParseFailed ||
-           elems.ext_capab == NULL || elems.ext_capab_len < 2 + 5)
+           elems.ext_capab == NULL || elems.ext_capab_len < 5)
                return;
 
        if (!sm->tdls_prohibited && wpa_tdls_prohibited(&elems)) {