RRM: Fix wpas_rrm_send_msr_report() loop handling
The while (len) loop was updating the next pointer at the end even when len == 0, i.e., when the new next value won't be used. This could result in reading one octet beyond the end of the allocated response wpabuf. While the read value is not really used in practice, this is not correct behavior, so fix this by skipping the unnecessary next pointer update in len == 0 case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
891aa65b88
commit
b696f791ac
1 changed files with 2 additions and 1 deletions
|
@ -409,7 +409,8 @@ static void wpas_rrm_send_msr_report(struct wpa_supplicant *wpa_s,
|
|||
pos = next;
|
||||
}
|
||||
|
||||
next += next[1] + 2;
|
||||
if (len)
|
||||
next += next[1] + 2;
|
||||
}
|
||||
#undef MPDU_REPORT_LEN
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue