From: Vamsi Krishna <vamsin@codeaurora.org>
Date: Tue, 13 Oct 2020 15:51:13 +0000 (+0530)
Subject: MSCS: Fix decapsulating subelements from MSCS descriptor
X-Git-Tag: hostap_2_10~817
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f7989d8af726b5f4ee3741a45545fe890c83366;p=thirdparty%2Fhostap.git

MSCS: Fix decapsulating subelements from MSCS descriptor

Fix pointer sent for decapsulating subelements from MSCS descriptor
IE while processing (re)association response frames.

Fixes: af8ab3208d03 ("MSCS: Parse result of MSCS setup in (Re)Association Response frames")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/wpa_supplicant/robust_av.c b/wpa_supplicant/robust_av.c
index 4ac1a2bb9..1280f5d96 100644
--- a/wpa_supplicant/robust_av.c
+++ b/wpa_supplicant/robust_av.c
@@ -142,10 +142,13 @@ void wpas_handle_assoc_resp_mscs(struct wpa_supplicant *wpa_s, const u8 *bssid,
 		return;
 
 	mscs_desc_ie = get_ie_ext(ies, ies_len, WLAN_EID_EXT_MSCS_DESCRIPTOR);
-	if (!mscs_desc_ie || mscs_desc_ie[1] < 1)
+	if (!mscs_desc_ie || mscs_desc_ie[1] <= 8)
 		return;
 
-	mscs_status = get_ie(mscs_desc_ie, mscs_desc_ie[1],
+	/* Subelements start after (ie_id(1) + ie_len(1) + ext_id(1) +
+	 * request type(1) + upc(2) + stream timeout(4) =) 10.
+	 */
+	mscs_status = get_ie(&mscs_desc_ie[10], mscs_desc_ie[1] - 8,
 			     MCSC_SUBELEM_STATUS);
 	if (!mscs_status || mscs_status[1] < 2)
 		return;