mesh: Fix off-by-one in buf length calculation

The maximum size of a Mesh Peering Management element in the case
of an AMPE close frame is actually 24 bytes, not 23 bytes, plus the
two bytes of the IE header (IEEE Std 802.11-2016, 9.4.2.102). Found by
inspection.

The other buffer components seem to use large enough extra room in their
allocations to avoid hitting issues with the full buffer size even
without this fix.

Signed-off-by: Bob Copeland <bobcopeland@fb.com>
This commit is contained in:
Bob Copeland 2018-11-23 10:15:42 -05:00 committed by Jouni Malinen
parent 2b7f46f1c7
commit 25778502d5

View File

@ -228,7 +228,7 @@ static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s,
2 + (32 - 8) + 2 + (32 - 8) +
2 + 32 + /* mesh ID */ 2 + 32 + /* mesh ID */
2 + 7 + /* mesh config */ 2 + 7 + /* mesh config */
2 + 23 + /* peering management */ 2 + 24 + /* peering management */
2 + 96 + /* AMPE */ 2 + 96 + /* AMPE */
2 + 16; /* MIC */ 2 + 16; /* MIC */
#ifdef CONFIG_IEEE80211N #ifdef CONFIG_IEEE80211N