From 25778502d5ec45e0dc936a0c8e294c4a3a6c58c4 Mon Sep 17 00:00:00 2001 From: Bob Copeland Date: Fri, 23 Nov 2018 10:15:42 -0500 Subject: [PATCH] mesh: Fix off-by-one in buf length calculation The maximum size of a Mesh Peering Management element in the case of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by inspection. The other buffer components seem to use large enough extra room in their allocations to avoid hitting issues with the full buffer size even without this fix. Signed-off-by: Bob Copeland --- wpa_supplicant/mesh_mpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c index d166cfeec..cbb1cd36f 100644 --- a/wpa_supplicant/mesh_mpm.c +++ b/wpa_supplicant/mesh_mpm.c @@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s, 2 + (32 - 8) + 2 + 32 + /* mesh ID */ 2 + 7 + /* mesh config */ - 2 + 23 + /* peering management */ + 2 + 24 + /* peering management */ 2 + 96 + /* AMPE */ 2 + 16; /* MIC */ #ifdef CONFIG_IEEE80211N