From 0f7989d8af726b5f4ee3741a45545fe890c83366 Mon Sep 17 00:00:00 2001 From: Vamsi Krishna Date: Tue, 13 Oct 2020 21:21:13 +0530 Subject: [PATCH] MSCS: Fix decapsulating subelements from MSCS descriptor Fix pointer sent for decapsulating subelements from MSCS descriptor IE while processing (re)association response frames. Fixes: af8ab3208d03 ("MSCS: Parse result of MSCS setup in (Re)Association Response frames") Signed-off-by: Jouni Malinen --- wpa_supplicant/robust_av.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/robust_av.c b/wpa_supplicant/robust_av.c index 4ac1a2bb9..1280f5d96 100644 --- a/wpa_supplicant/robust_av.c +++ b/wpa_supplicant/robust_av.c @@ -142,10 +142,13 @@ void wpas_handle_assoc_resp_mscs(struct wpa_supplicant *wpa_s, const u8 *bssid, return; mscs_desc_ie = get_ie_ext(ies, ies_len, WLAN_EID_EXT_MSCS_DESCRIPTOR); - if (!mscs_desc_ie || mscs_desc_ie[1] < 1) + if (!mscs_desc_ie || mscs_desc_ie[1] <= 8) return; - mscs_status = get_ie(mscs_desc_ie, mscs_desc_ie[1], + /* Subelements start after (ie_id(1) + ie_len(1) + ext_id(1) + + * request type(1) + upc(2) + stream timeout(4) =) 10. + */ + mscs_status = get_ie(&mscs_desc_ie[10], mscs_desc_ie[1] - 8, MCSC_SUBELEM_STATUS); if (!mscs_status || mscs_status[1] < 2) return;