Cumulative patch from commit 4a16a0bd550401a50dedfcf701f6dcc7a3598133i
4a16a0b nl80211: Add QCA vendor subcmd for NAN
f8b10c1 Fix CONFIG_AP=y build without CONFIG_P2P=y
f05cee9 P2P: Clear p2p_in_invitation on cancel
ec331d0 WNM: Fix deinit path to clean neighbor report count
679f2e7 WPS NFC: Remove NFC_RX_HANDOVER_SEL
dc39004 WPS: Remove unused WEP related functionality
9437c2d EAP-pwd peer: Fix fragmentation of PWD-Confirm-Resp
48f668e EAP-pwd: Fix memory leak on error path with fragmentation
9ff4de6 Move DROP_SA command to be within ifdef CONFIG_TESTING_OPTIONS
e1a273a Remove used KDE addition code from EAPOL-Key msg 4/4
9a147ba WNM: Fix regression in Sleep Mode exit key data parsing
76d3fb1 Remove unused wpa_sm_get_param() function
ed42993 TDLS: Add test mode for MIC failure testing
5784b9a Fix memory leaks in hostapd configuration updates
Change-Id: I7f1ec783ac791e06178f9c8b9be9119ac46aa745
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 7db6eb6..1ca4c71 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -235,16 +235,20 @@
const u8 *frm, int len)
{
/*
- * Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data |
+ * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
* WNM-Sleep Mode IE | TFS Response IE
*/
u8 *pos = (u8 *) frm; /* point to payload after the action field */
- u16 key_len_total = le_to_host16(*((u16 *)(frm+2)));
+ u16 key_len_total;
struct wnm_sleep_element *wnmsleep_ie = NULL;
/* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL;
+ if (len < 3)
+ return;
+ key_len_total = WPA_GET_LE16(frm + 1);
+
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total);
pos += 3 + key_len_total;
@@ -315,6 +319,7 @@
os_free(wpa_s->wnm_neighbor_report_elements[i].mul_bssid);
}
+ wpa_s->wnm_num_neighbor_report = 0;
os_free(wpa_s->wnm_neighbor_report_elements);
wpa_s->wnm_neighbor_report_elements = NULL;
}