aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/common/ieee802_11_defs.h1
-rw-r--r--wpa_supplicant/wnm_sta.c19
2 files changed, 15 insertions, 5 deletions
diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index eec1a2e8..e8550ded 100644
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -221,6 +221,7 @@
#define WLAN_EID_QOS 46
#define WLAN_EID_RSN 48
#define WLAN_EID_EXT_SUPP_RATES 50
+#define WLAN_EID_NEIGHBOR_REPORT 52
#define WLAN_EID_MOBILITY_DOMAIN 54
#define WLAN_EID_FAST_BSS_TRANSITION 55
#define WLAN_EID_TIMEOUT_INTERVAL 56
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 5731cbd5..52dc3c8c 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -456,8 +456,15 @@ static void wnm_parse_neighbor_report(struct wpa_supplicant *wpa_s,
id = *pos++;
elen = *pos++;
+ wpa_printf(MSG_DEBUG, "WNM: Subelement id=%u len=%u", id, elen);
+ left -= 2;
+ if (elen > left) {
+ wpa_printf(MSG_DEBUG,
+ "WNM: Truncated neighbor report subelement");
+ break;
+ }
wnm_parse_neighbor_report_elem(rep, id, elen, pos);
- left -= 2 + elen;
+ left -= elen;
pos += elen;
}
}
@@ -671,10 +678,12 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "WNM: Truncated request");
return;
}
- wnm_parse_neighbor_report(
- wpa_s, pos, len,
- &wpa_s->wnm_neighbor_report_elements[
- wpa_s->wnm_num_neighbor_report]);
+ if (tag == WLAN_EID_NEIGHBOR_REPORT) {
+ struct neighbor_report *rep;
+ rep = &wpa_s->wnm_neighbor_report_elements[
+ wpa_s->wnm_num_neighbor_report];
+ wnm_parse_neighbor_report(wpa_s, pos, len, rep);
+ }
pos += len;
wpa_s->wnm_num_neighbor_report++;
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-08 22:19:23 +0000