From: Bob Copeland <me@bobcopeland.com>
Date: Fri, 23 Nov 2018 15:15:42 +0000 (-0500)
Subject: mesh: Fix off-by-one in buf length calculation
X-Git-Tag: hostap_2_7~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25778502d5ec45e0dc936a0c8e294c4a3a6c58c4;p=thirdparty%2Fhostap.git

mesh: Fix off-by-one in buf length calculation

The maximum size of a Mesh Peering Management element in the case
of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the
two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by
inspection.

The other buffer components seem to use large enough extra room in their
allocations to avoid hitting issues with the full buffer size even
without this fix.

Signed-off-by: Bob Copeland <bobcopeland@fb.com>
---

diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index d166cfeec..cbb1cd36f 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
 		  2 + (32 - 8) +
 		  2 + 32 + /* mesh ID */
 		  2 + 7 +  /* mesh config */
-		  2 + 23 + /* peering management */
+		  2 + 24 + /* peering management */
 		  2 + 96 + /* AMPE */
 		  2 + 16;  /* MIC */
 #ifdef CONFIG_IEEE80211N