From b696f791ac011a7d9bed73db11c16199b56aa2b1 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Wed, 8 Mar 2017 16:16:37 +0200
Subject: [PATCH] RRM: Fix wpas_rrm_send_msr_report() loop handling

The while (len) loop was updating the next pointer at the end even when
len == 0, i.e., when the new next value won't be used. This could result
in reading one octet beyond the end of the allocated response wpabuf.
While the read value is not really used in practice, this is not correct
behavior, so fix this by skipping the unnecessary next pointer update in
len == 0 case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wpa_supplicant/rrm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wpa_supplicant/rrm.c b/wpa_supplicant/rrm.c
index 8ba372155..18d4907d8 100644
--- a/wpa_supplicant/rrm.c
+++ b/wpa_supplicant/rrm.c
@@ -409,7 +409,8 @@ static void wpas_rrm_send_msr_report(struct wpa_supplicant *wpa_s,
 			pos = next;
 		}
 
-		next += next[1] + 2;
+		if (len)
+			next += next[1] + 2;
 	}
 #undef MPDU_REPORT_LEN
 }