From 93a73ce028ab2d721ed97b4e21e4a86182466d76 Mon Sep 17 00:00:00 2001
From: Veerendranath Jakkam <vjakkam@codeaurora.org>
Date: Wed, 19 Aug 2020 15:00:32 +0530
Subject: [PATCH] MSCS: Fix issues due to incorrect usage of wpa_hexdump_buf()

Previously wpabuf_head() of the buffer is passed to wpa_hexdump_buf()
instead of the wpabuf struct itself and it was causing wpa_supplicant to
crash. Fix this by using the correct pointer in the debug prints.

Fixes: a118047245b0 ("MSCS: Add support to send MSCS Request frames")
Fixes: c504ff5398fa ("MSCS: Add support to populate MSCS Descriptor IE in (Re)AssocReq")
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
---
 wpa_supplicant/robust_av.c      | 2 +-
 wpa_supplicant/sme.c            | 3 +--
 wpa_supplicant/wpa_supplicant.c | 3 +--
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/wpa_supplicant/robust_av.c b/wpa_supplicant/robust_av.c
index 31315517a..4ac1a2bb9 100644
--- a/wpa_supplicant/robust_av.c
+++ b/wpa_supplicant/robust_av.c
@@ -94,7 +94,7 @@ int wpas_send_mscs_req(struct wpa_supplicant *wpa_s)
 	/* MSCS descriptor element */
 	wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, buf);
 
-	wpa_hexdump_buf(MSG_MSGDUMP, "MSCS Request", wpabuf_head(buf));
+	wpa_hexdump_buf(MSG_MSGDUMP, "MSCS Request", buf);
 	ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
 				  wpa_s->own_addr, wpa_s->bssid,
 				  wpabuf_head(buf), wpabuf_len(buf), 0);
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 592c742fa..2faaff930 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1905,8 +1905,7 @@ pfs_fail:
 		max_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
 		wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie);
 		if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) {
-			wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE",
-					wpabuf_head(mscs_ie));
+			wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie);
 			mscs_ie_len = wpabuf_len(mscs_ie);
 			os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len,
 				  wpabuf_head(mscs_ie), mscs_ie_len);
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 3d2c0a985..39e92fb68 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -3214,8 +3214,7 @@ pfs_fail:
 
 		wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie);
 		if ((wpa_ie_len + wpabuf_len(mscs_ie)) <= max_wpa_ie_len) {
-			wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE",
-					wpabuf_head(mscs_ie));
+			wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie);
 			mscs_ie_len = wpabuf_len(mscs_ie);
 			os_memcpy(wpa_ie + wpa_ie_len, wpabuf_head(mscs_ie),
 				  mscs_ie_len);