mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 18:28:23 -05:00
mesh: Fix off-by-one in buf length calculation
The maximum size of a Mesh Peering Management element in the case of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by inspection. The other buffer components seem to use large enough extra room in their allocations to avoid hitting issues with the full buffer size even without this fix. Signed-off-by: Bob Copeland <bobcopeland@fb.com>
This commit is contained in:
parent
2b7f46f1c7
commit
25778502d5
@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
|
|||||||
2 + (32 - 8) +
|
2 + (32 - 8) +
|
||||||
2 + 32 + /* mesh ID */
|
2 + 32 + /* mesh ID */
|
||||||
2 + 7 + /* mesh config */
|
2 + 7 + /* mesh config */
|
||||||
2 + 23 + /* peering management */
|
2 + 24 + /* peering management */
|
||||||
2 + 96 + /* AMPE */
|
2 + 96 + /* AMPE */
|
||||||
2 + 16; /* MIC */
|
2 + 16; /* MIC */
|
||||||
#ifdef CONFIG_IEEE80211N
|
#ifdef CONFIG_IEEE80211N
|
||||||
|
Loading…
Reference in New Issue
Block a user