diff --git a/src/ap/dfs.c b/src/ap/dfs.c
index 612f534..2b8b90f 100644
--- a/src/ap/dfs.c
+++ b/src/ap/dfs.c
@@ -214,6 +214,7 @@
 		break;
 	default:
 		wpa_printf(MSG_INFO, "DFS only VHT20/40/80/160 is supported now");
+		*vht_oper_centr_freq_seg0_idx = 0;
 		break;
 	}
 
@@ -359,6 +360,9 @@
 	u32 _rand;
 
 	wpa_printf(MSG_DEBUG, "DFS: Selecting random channel");
+	*secondary_channel = 0;
+	*vht_oper_centr_freq_seg0_idx = 0;
+	*vht_oper_centr_freq_seg1_idx = 0;
 
 	if (iface->current_mode == NULL)
 		return NULL;
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 6fb1056..3318f7a 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -678,6 +678,20 @@
 	struct hostapd_frame_info fi;
 	int ret;
 
+#ifdef CONFIG_TESTING_OPTIONS
+	if (hapd->ext_mgmt_frame_handling) {
+		size_t hex_len = 2 * rx_mgmt->frame_len + 1;
+		char *hex = os_malloc(hex_len);
+		if (hex) {
+			wpa_snprintf_hex(hex, hex_len, rx_mgmt->frame,
+					 rx_mgmt->frame_len);
+			wpa_msg(hapd->msg_ctx, MSG_INFO, "MGMT-RX %s", hex);
+			os_free(hex);
+		}
+		return 1;
+	}
+#endif /* CONFIG_TESTING_OPTIONS */
+
 	hdr = (const struct ieee80211_hdr *) rx_mgmt->frame;
 	bssid = get_hdr_bssid(hdr, rx_mgmt->frame_len);
 	if (bssid == NULL)
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 75baec0..ad1c2d0 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -1807,6 +1807,7 @@
 			if (start_ctrl_iface_bss(hapd) < 0 ||
 			    (hapd_iface->state == HAPD_IFACE_ENABLED &&
 			     hostapd_setup_bss(hapd, -1))) {
+				hapd_iface->bss[hapd_iface->num_bss - 1] = NULL;
 				hapd_iface->conf->num_bss--;
 				hapd_iface->num_bss--;
 				wpa_printf(MSG_DEBUG, "%s: free hapd %p %s",
@@ -1876,14 +1877,17 @@
 		if (hapd_iface->bss) {
 			for (i = 0; i < hapd_iface->num_bss; i++) {
 				hapd = hapd_iface->bss[i];
-				if (hapd && hapd_iface->interfaces &&
+				if (!hapd)
+					continue;
+				if (hapd_iface->interfaces &&
 				    hapd_iface->interfaces->ctrl_iface_deinit)
 					hapd_iface->interfaces->
 						ctrl_iface_deinit(hapd);
 				wpa_printf(MSG_DEBUG, "%s: free hapd %p (%s)",
 					   __func__, hapd_iface->bss[i],
-					hapd_iface->bss[i]->conf->iface);
-				os_free(hapd_iface->bss[i]);
+					   hapd->conf->iface);
+				os_free(hapd);
+				hapd_iface->bss[i] = NULL;
 			}
 			os_free(hapd_iface->bss);
 		}
diff --git a/src/ap/hw_features.c b/src/ap/hw_features.c
index 7d36790..af1bc9b 100644
--- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c
@@ -982,8 +982,6 @@
 		hostapd_notify_bad_chans(iface);
 		return -3;
 	}
-
-	return 0;
 }
 
 
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 3e704e5..c97cef1 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1738,19 +1738,6 @@
 	u16 fc, stype;
 	int ret = 0;
 
-#ifdef CONFIG_TESTING_OPTIONS
-	if (hapd->ext_mgmt_frame_handling) {
-		size_t hex_len = 2 * len + 1;
-		char *hex = os_malloc(hex_len);
-		if (hex) {
-			wpa_snprintf_hex(hex, hex_len, buf, len);
-			wpa_msg(hapd->msg_ctx, MSG_INFO, "MGMT-RX %s", hex);
-			os_free(hex);
-		}
-		return 1;
-	}
-#endif /* CONFIG_TESTING_OPTIONS */
-
 	if (len < 24)
 		return 0;
 
diff --git a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c
index 31dc47e..a166178 100644
--- a/src/ap/ieee802_11_ht.c
+++ b/src/ap/ieee802_11_ht.c
@@ -139,7 +139,6 @@
 		op_mode_changes++;
 	}
 
-	new_op_mode = 0;
 	if (iface->num_sta_no_ht)
 		new_op_mode = OP_MODE_MIXED;
 	else if (iface->conf->secondary_channel && iface->num_sta_ht_20mhz)
diff --git a/src/ap/peerkey_auth.c b/src/ap/peerkey_auth.c
index ba5c606..612babc 100644
--- a/src/ap/peerkey_auth.c
+++ b/src/ap/peerkey_auth.c
@@ -221,8 +221,8 @@
 		return;
 
 	/* Peer RSN IE */
-	os_memcpy(buf, kde->rsn_ie, kde->rsn_ie_len);
-	pos = buf + kde->rsn_ie_len;
+	os_memcpy(pos, kde->rsn_ie, kde->rsn_ie_len);
+	pos += kde->rsn_ie_len;
 
 	/* Peer MAC Address */
 	pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN, NULL, 0);
diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index 520e55d..cf4664f 100644
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -161,6 +161,7 @@
 #define WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ 76
 #define WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED 77
 #define WLAN_STATUS_TRANSMISSION_FAILURE 79
+#define WLAN_STATUS_QUERY_RESP_OUTSTANDING 95
 #define WLAN_STATUS_ASSOC_DENIED_NO_VHT 104
 
 /* Reason codes (IEEE 802.11-2007, 7.3.1.7, Table 7-22) */
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index c9d0ccb..27f58aa 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -558,8 +558,9 @@
 #endif /* CONFIG_IEEE80211W */
 
 	if (left > 0) {
-		wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
-			   __func__, left);
+		wpa_hexdump(MSG_DEBUG,
+			    "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
+			    pos, left);
 	}
 
 	return 0;
@@ -696,8 +697,9 @@
 	}
 
 	if (left > 0) {
-		wpa_printf(MSG_DEBUG, "%s: ie has %u trailing bytes - ignored",
-			   __func__, left);
+		wpa_hexdump(MSG_DEBUG,
+			    "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
+			    pos, left);
 	}
 
 	return 0;
@@ -1195,66 +1197,57 @@
 }
 
 
-int rsn_cipher_put_suites(u8 *pos, int ciphers)
+int rsn_cipher_put_suites(u8 *start, int ciphers)
 {
-	int num_suites = 0;
+	u8 *pos = start;
 
 	if (ciphers & WPA_CIPHER_CCMP_256) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_GCMP_256) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_CCMP) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_GCMP) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_TKIP) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_NONE) {
 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
 		pos += RSN_SELECTOR_LEN;
-		num_suites++;
 	}
 
-	return num_suites;
+	return (pos - start) / RSN_SELECTOR_LEN;
 }
 
 
-int wpa_cipher_put_suites(u8 *pos, int ciphers)
+int wpa_cipher_put_suites(u8 *start, int ciphers)
 {
-	int num_suites = 0;
+	u8 *pos = start;
 
 	if (ciphers & WPA_CIPHER_CCMP) {
 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
 		pos += WPA_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_TKIP) {
 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
 		pos += WPA_SELECTOR_LEN;
-		num_suites++;
 	}
 	if (ciphers & WPA_CIPHER_NONE) {
 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
 		pos += WPA_SELECTOR_LEN;
-		num_suites++;
 	}
 
-	return num_suites;
+	return (pos - start) / RSN_SELECTOR_LEN;
 }
 
 
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e606828..d4c6b8b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -785,12 +785,13 @@
 		PKCS12_PBE_add();
 #endif  /* PKCS12_FUNCS */
 	} else {
-		context = tls_global;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
 		/* Newer OpenSSL can store app-data per-SSL */
 		context = tls_context_new(conf);
 		if (context == NULL)
 			return NULL;
+#else /* OPENSSL_SUPPORTS_CTX_APP_DATA */
+		context = tls_global;
 #endif /* OPENSSL_SUPPORTS_CTX_APP_DATA */
 	}
 	tls_openssl_ref_count++;
@@ -988,9 +989,10 @@
 	SSL_CTX *ssl = ssl_ctx;
 	struct tls_connection *conn;
 	long options;
-	struct tls_context *context = tls_global;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
-	context = SSL_CTX_get_app_data(ssl);
+	struct tls_context *context = SSL_CTX_get_app_data(ssl);
+#else /* OPENSSL_SUPPORTS_CTX_APP_DATA */
+	struct tls_context *context = tls_global;
 #endif /* OPENSSL_SUPPORTS_CTX_APP_DATA */
 
 	conn = os_zalloc(sizeof(*conn));
diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 23a4e2b..c146cdc 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -1868,6 +1868,25 @@
 	wpa_hexdump_buf(MSG_DEBUG, "atheros: assocresp_ies",
 			params->assocresp_ies);
 
+#if defined(CONFIG_HS20) && defined(IEEE80211_PARAM_OSEN)
+	if (params->osen) {
+		struct wpa_bss_params bss_params;
+
+		os_memset(&bss_params, 0, sizeof(struct wpa_bss_params));
+		bss_params.enabled = 1;
+		bss_params.wpa = 2;
+		bss_params.wpa_pairwise = WPA_CIPHER_CCMP;
+		bss_params.wpa_group = WPA_CIPHER_CCMP;
+		bss_params.ieee802_1x = 1;
+
+		if (atheros_set_privacy(priv, 1) ||
+		    set80211param(priv, IEEE80211_PARAM_OSEN, 1))
+			return -1;
+
+		return atheros_set_ieee8021x(priv, &bss_params);
+	}
+#endif /* CONFIG_HS20 && IEEE80211_PARAM_OSEN */
+
 	return 0;
 }
 
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 42578b6..c509170 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -301,6 +301,7 @@
 	unsigned int hostapd:1;
 	unsigned int start_mode_ap:1;
 	unsigned int start_iface_up:1;
+	unsigned int test_use_roc_tx:1;
 
 	u64 remain_on_chan_cookie;
 	u64 send_action_cookie;
@@ -9926,7 +9927,8 @@
 		NLA_PUT_U32(msg, NL80211_ATTR_WIPHY_FREQ, freq);
 	if (wait)
 		NLA_PUT_U32(msg, NL80211_ATTR_DURATION, wait);
-	if (offchanok && (drv->capa.flags & WPA_DRIVER_FLAGS_OFFCHANNEL_TX))
+	if (offchanok && ((drv->capa.flags & WPA_DRIVER_FLAGS_OFFCHANNEL_TX) ||
+			  drv->test_use_roc_tx))
 		NLA_PUT_FLAG(msg, NL80211_ATTR_OFFCHANNEL_TX_OK);
 	if (no_cck)
 		NLA_PUT_FLAG(msg, NL80211_ATTR_TX_NO_CCK_RATE);
@@ -10510,6 +10512,13 @@
 		drv->capa.flags &= ~WPA_DRIVER_FLAGS_SME;
 	}
 
+	if (os_strstr(param, "no_offchannel_tx=1")) {
+		struct i802_bss *bss = priv;
+		struct wpa_driver_nl80211_data *drv = bss->drv;
+		drv->capa.flags &= ~WPA_DRIVER_FLAGS_OFFCHANNEL_TX;
+		drv->test_use_roc_tx = 1;
+	}
+
 	return 0;
 }
 
diff --git a/src/drivers/driver_roboswitch.c b/src/drivers/driver_roboswitch.c
index 0a9078a..9ce3fa2 100644
--- a/src/drivers/driver_roboswitch.c
+++ b/src/drivers/driver_roboswitch.c
@@ -260,17 +260,17 @@
 					    ROBO_ARLCTRL_CONF, read1, 1);
 	} else {
 		/* if both multiport addresses are the same we can add */
-		wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
-					   ROBO_ARLCTRL_ADDR_1, read1, 3);
-		wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
-					   ROBO_ARLCTRL_ADDR_2, read2, 3);
-		if (os_memcmp(read1, read2, 6) != 0)
+		if (wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
+					       ROBO_ARLCTRL_ADDR_1, read1, 3) ||
+		    wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
+					       ROBO_ARLCTRL_ADDR_2, read2, 3) ||
+		    os_memcmp(read1, read2, 6) != 0)
 			return -1;
-		wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
-					   ROBO_ARLCTRL_VEC_1, read1, 1);
-		wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
-					   ROBO_ARLCTRL_VEC_2, read2, 1);
-		if (read1[0] != read2[0])
+		if (wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
+					       ROBO_ARLCTRL_VEC_1, read1, 1) ||
+		    wpa_driver_roboswitch_read(drv, ROBO_ARLCTRL_PAGE,
+					       ROBO_ARLCTRL_VEC_2, read2, 1) ||
+		    read1[0] != read2[0])
 			return -1;
 		wpa_driver_roboswitch_write(drv, ROBO_ARLCTRL_PAGE,
 					    ROBO_ARLCTRL_ADDR_1, addr_be16, 3);
diff --git a/src/drivers/driver_test.c b/src/drivers/driver_test.c
index 7d30655..1b13d3d 100644
--- a/src/drivers/driver_test.c
+++ b/src/drivers/driver_test.c
@@ -1529,7 +1529,8 @@
 #endif /* DRIVER_TEST_UNIX */
 
 	if (params->mode == IEEE80211_MODE_AP) {
-		os_memcpy(dbss->ssid, params->ssid, params->ssid_len);
+		if (params->ssid)
+			os_memcpy(dbss->ssid, params->ssid, params->ssid_len);
 		dbss->ssid_len = params->ssid_len;
 		os_memcpy(dbss->bssid, drv->own_addr, ETH_ALEN);
 		if (params->wpa_ie && params->wpa_ie_len) {
@@ -1550,8 +1551,9 @@
 				  MAC2STR(drv->own_addr));
 		if (ret >= 0 && ret < end - pos)
 			pos += ret;
-		pos += wpa_snprintf_hex(pos, end - pos, params->ssid,
-					params->ssid_len);
+		if (params->ssid)
+			pos += wpa_snprintf_hex(pos, end - pos, params->ssid,
+						params->ssid_len);
 		ret = os_snprintf(pos, end - pos, " ");
 		if (ret >= 0 && ret < end - pos)
 			pos += ret;
@@ -1575,12 +1577,15 @@
 			return -1;
 		}
 
-		os_memcpy(dbss->ssid, params->ssid, params->ssid_len);
+		if (params->ssid)
+			os_memcpy(dbss->ssid, params->ssid, params->ssid_len);
 		dbss->ssid_len = params->ssid_len;
 	} else {
 		drv->associated = 1;
 		if (params->mode == IEEE80211_MODE_IBSS) {
-			os_memcpy(dbss->ssid, params->ssid, params->ssid_len);
+			if (params->ssid)
+				os_memcpy(dbss->ssid, params->ssid,
+					  params->ssid_len);
 			dbss->ssid_len = params->ssid_len;
 			if (params->bssid)
 				os_memcpy(dbss->bssid, params->bssid,
diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c
index 1b0c562..cc1f264 100644
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@@ -149,14 +149,16 @@
 	struct eap_fast_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
 
+	if (config == NULL)
+		return NULL;
+
 	data = os_zalloc(sizeof(*data));
 	if (data == NULL)
 		return NULL;
 	data->fast_version = EAP_FAST_VERSION;
 	data->max_pac_list_len = 10;
 
-	if (config && config->phase1 &&
-	    eap_fast_parse_phase1(data, config->phase1) < 0) {
+	if (config->phase1 && eap_fast_parse_phase1(data, config->phase1) < 0) {
 		eap_fast_deinit(sm, data);
 		return NULL;
 	}
diff --git a/src/p2p/p2p_invitation.c b/src/p2p/p2p_invitation.c
index 30d218c..a45fe19 100644
--- a/src/p2p/p2p_invitation.c
+++ b/src/p2p/p2p_invitation.c
@@ -359,12 +359,17 @@
 		p2p->inv_group_bssid_ptr = p2p->inv_group_bssid;
 	} else
 		p2p->inv_group_bssid_ptr = NULL;
-	if (msg.group_id_len - ETH_ALEN <= 32) {
-		os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
-			  msg.group_id_len - ETH_ALEN);
-		p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+	if (msg.group_id) {
+		if (msg.group_id_len - ETH_ALEN <= 32) {
+			os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
+				  msg.group_id_len - ETH_ALEN);
+			p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+		}
+		os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
+	} else {
+		p2p->inv_ssid_len = 0;
+		os_memset(p2p->inv_go_dev_addr, 0, ETH_ALEN);
 	}
-	os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
 	p2p->inv_status = status;
 	p2p->inv_op_freq = op_freq;
 
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 5074b60..6b86932 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -1371,8 +1371,8 @@
 			break;
 		}
 		entry->shared_secret_len = os_strlen(entry->shared_secret);
-		entry->addr.s_addr = addr.s_addr;
 		if (!ipv6) {
+			entry->addr.s_addr = addr.s_addr;
 			val = 0;
 			for (i = 0; i < mask; i++)
 				val |= 1 << (31 - i);
diff --git a/src/utils/trace.c b/src/utils/trace.c
index 6795d41..94440f2 100644
--- a/src/utils/trace.c
+++ b/src/utils/trace.c
@@ -187,6 +187,7 @@
 		wpa_printf(MSG_INFO, "     %s() %s:%u",
 			   name, filename, data.line);
 		free(aname);
+		aname = NULL;
 
 		data.found = bfd_find_inliner_info(abfd, &data.filename,
 						   &data.function, &data.line);
diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index 2b35064..d45dfc8 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -148,7 +148,8 @@
 
 static int wifi_filter(struct ndef_record *record)
 {
-	if (record->type_length != os_strlen(wifi_handover_type))
+	if (record->type == NULL ||
+	    record->type_length != os_strlen(wifi_handover_type))
 		return 0;
 	if (os_memcmp(record->type, wifi_handover_type,
 		      os_strlen(wifi_handover_type)) != 0)
@@ -173,7 +174,8 @@
 
 static int p2p_filter(struct ndef_record *record)
 {
-	if (record->type_length != os_strlen(p2p_handover_type))
+	if (record->type == NULL ||
+	    record->type_length != os_strlen(p2p_handover_type))
 		return 0;
 	if (os_memcmp(record->type, p2p_handover_type,
 		      os_strlen(p2p_handover_type)) != 0)
diff --git a/src/wps/wps_upnp_web.c b/src/wps/wps_upnp_web.c
index 2a3b636..54c3658 100644
--- a/src/wps/wps_upnp_web.c
+++ b/src/wps/wps_upnp_web.c
@@ -946,7 +946,7 @@
 	wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE for event");
 	end = os_strchr(h, '\n');
 
-	for (; end != NULL; h = end + 1) {
+	while (end) {
 		/* Option line by option line */
 		h = end + 1;
 		end = os_strchr(h, '\n');
@@ -1153,7 +1153,7 @@
 	wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP UNSUBSCRIBE for event");
 	end = os_strchr(h, '\n');
 
-	for (; end != NULL; h = end + 1) {
+	while (end) {
 		/* Option line by option line */
 		h = end + 1;
 		end = os_strchr(h, '\n');
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index da9580e..23aab4b 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -438,10 +438,10 @@
 	int first = 1, ret;
 	char *buf, *pos, *end;
 
-	pos = buf = os_zalloc(10);
+	pos = buf = os_zalloc(20);
 	if (buf == NULL)
 		return NULL;
-	end = buf + 10;
+	end = buf + 20;
 
 	if (ssid->proto & WPA_PROTO_WPA) {
 		ret = os_snprintf(pos, end - pos, "%sWPA", first ? "" : " ");
@@ -459,6 +459,14 @@
 		first = 0;
 	}
 
+	if (ssid->proto & WPA_PROTO_OSEN) {
+		ret = os_snprintf(pos, end - pos, "%sOSEN", first ? "" : " ");
+		if (ret < 0 || ret >= end - pos)
+			return buf;
+		pos += ret;
+		first = 0;
+	}
+
 	return buf;
 }
 #endif /* NO_CONFIG_WRITE */
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 9f5d4f4..793faec 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -2074,7 +2074,8 @@
 				    const u8 *ie, size_t ie_len)
 {
 	struct wpa_ie_data data;
-	int first, ret;
+	char *start;
+	int ret;
 
 	ret = os_snprintf(pos, end - pos, "[%s-", proto);
 	if (ret < 0 || ret >= end - pos)
@@ -2089,62 +2090,58 @@
 		return pos;
 	}
 
-	first = 1;
+	start = pos;
 	if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) {
-		ret = os_snprintf(pos, end - pos, "%sEAP", first ? "" : "+");
+		ret = os_snprintf(pos, end - pos, "%sEAP",
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 	if (data.key_mgmt & WPA_KEY_MGMT_PSK) {
-		ret = os_snprintf(pos, end - pos, "%sPSK", first ? "" : "+");
+		ret = os_snprintf(pos, end - pos, "%sPSK",
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 	if (data.key_mgmt & WPA_KEY_MGMT_WPA_NONE) {
-		ret = os_snprintf(pos, end - pos, "%sNone", first ? "" : "+");
+		ret = os_snprintf(pos, end - pos, "%sNone",
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 #ifdef CONFIG_IEEE80211R
 	if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) {
 		ret = os_snprintf(pos, end - pos, "%sFT/EAP",
-				  first ? "" : "+");
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 	if (data.key_mgmt & WPA_KEY_MGMT_FT_PSK) {
 		ret = os_snprintf(pos, end - pos, "%sFT/PSK",
-				  first ? "" : "+");
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 #endif /* CONFIG_IEEE80211R */
 #ifdef CONFIG_IEEE80211W
 	if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) {
 		ret = os_snprintf(pos, end - pos, "%sEAP-SHA256",
-				  first ? "" : "+");
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 	if (data.key_mgmt & WPA_KEY_MGMT_PSK_SHA256) {
 		ret = os_snprintf(pos, end - pos, "%sPSK-SHA256",
-				  first ? "" : "+");
+				  pos == start ? "" : "+");
 		if (ret < 0 || ret >= end - pos)
 			return pos;
 		pos += ret;
-		first = 0;
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -2862,7 +2859,7 @@
 					      struct wpa_driver_capa *capa,
 					      char *buf, size_t buflen)
 {
-	int ret, first = 1;
+	int ret;
 	char *pos, *end;
 	size_t len;
 	unsigned int i;
@@ -2882,11 +2879,11 @@
 	for (i = 0; i < ARRAY_SIZE(ciphers); i++) {
 		if (!ciphers[i].group_only && capa->enc & ciphers[i].capa) {
 			ret = os_snprintf(pos, end - pos, "%s%s",
-					  first ? "" : " ", ciphers[i].name);
+					  pos == buf ? "" : " ",
+					  ciphers[i].name);
 			if (ret < 0 || ret >= end - pos)
 				return pos - buf;
 			pos += ret;
-			first = 0;
 		}
 	}
 
@@ -2898,7 +2895,7 @@
 					   struct wpa_driver_capa *capa,
 					   char *buf, size_t buflen)
 {
-	int ret, first = 1;
+	int ret;
 	char *pos, *end;
 	size_t len;
 	unsigned int i;
@@ -2918,11 +2915,11 @@
 	for (i = 0; i < ARRAY_SIZE(ciphers); i++) {
 		if (capa->enc & ciphers[i].capa) {
 			ret = os_snprintf(pos, end - pos, "%s%s",
-					  first ? "" : " ", ciphers[i].name);
+					  pos == buf ? "" : " ",
+					  ciphers[i].name);
 			if (ret < 0 || ret >= end - pos)
 				return pos - buf;
 			pos += ret;
-			first = 0;
 		}
 	}
 
@@ -2987,7 +2984,7 @@
 					   struct wpa_driver_capa *capa,
 					   char *buf, size_t buflen)
 {
-	int ret, first = 1;
+	int ret;
 	char *pos, *end;
 	size_t len;
 
@@ -3005,20 +3002,20 @@
 
 	if (capa->key_mgmt & (WPA_DRIVER_CAPA_KEY_MGMT_WPA2 |
 			      WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK)) {
-		ret = os_snprintf(pos, end - pos, "%sRSN", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sRSN",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	if (capa->key_mgmt & (WPA_DRIVER_CAPA_KEY_MGMT_WPA |
 			      WPA_DRIVER_CAPA_KEY_MGMT_WPA_PSK)) {
-		ret = os_snprintf(pos, end - pos, "%sWPA", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sWPA",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	return pos - buf;
@@ -3029,7 +3026,7 @@
 					      struct wpa_driver_capa *capa,
 					      char *buf, size_t buflen)
 {
-	int ret, first = 1;
+	int ret;
 	char *pos, *end;
 	size_t len;
 
@@ -3046,28 +3043,27 @@
 	}
 
 	if (capa->auth & (WPA_DRIVER_AUTH_OPEN)) {
-		ret = os_snprintf(pos, end - pos, "%sOPEN", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sOPEN",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	if (capa->auth & (WPA_DRIVER_AUTH_SHARED)) {
 		ret = os_snprintf(pos, end - pos, "%sSHARED",
-				  first ? "" : " ");
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	if (capa->auth & (WPA_DRIVER_AUTH_LEAP)) {
-		ret = os_snprintf(pos, end - pos, "%sLEAP", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sLEAP",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	return pos - buf;
@@ -3078,7 +3074,7 @@
 					   struct wpa_driver_capa *capa,
 					   char *buf, size_t buflen)
 {
-	int ret, first = 1;
+	int ret;
 	char *pos, *end;
 	size_t len;
 
@@ -3095,19 +3091,19 @@
 	}
 
 	if (capa->flags & WPA_DRIVER_FLAGS_IBSS) {
-		ret = os_snprintf(pos, end - pos, "%sIBSS", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sIBSS",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	if (capa->flags & WPA_DRIVER_FLAGS_AP) {
-		ret = os_snprintf(pos, end - pos, "%sAP", first ? "" : " ");
+		ret = os_snprintf(pos, end - pos, "%sAP",
+				  pos == buf ? "" : " ");
 		if (ret < 0 || ret >= end - pos)
 			return pos - buf;
 		pos += ret;
-		first = 0;
 	}
 
 	return pos - buf;
diff --git a/wpa_supplicant/ctrl_iface_unix.c b/wpa_supplicant/ctrl_iface_unix.c
index d44313c..d4e45de 100644
--- a/wpa_supplicant/ctrl_iface_unix.c
+++ b/wpa_supplicant/ctrl_iface_unix.c
@@ -244,7 +244,7 @@
 {
 	char *buf;
 	size_t len;
-	char *pbuf, *dir = NULL, *gid_str = NULL;
+	char *pbuf, *dir = NULL;
 	int res;
 
 	if (wpa_s->conf->ctrl_interface == NULL)
@@ -254,12 +254,11 @@
 	if (pbuf == NULL)
 		return NULL;
 	if (os_strncmp(pbuf, "DIR=", 4) == 0) {
+		char *gid_str;
 		dir = pbuf + 4;
 		gid_str = os_strstr(dir, " GROUP=");
-		if (gid_str) {
+		if (gid_str)
 			*gid_str = '\0';
-			gid_str += 7;
-		}
 	} else
 		dir = pbuf;
 
@@ -573,7 +572,7 @@
 
 	if (priv->sock > -1) {
 		char *fname;
-		char *buf, *dir = NULL, *gid_str = NULL;
+		char *buf, *dir = NULL;
 		eloop_unregister_read_sock(priv->sock);
 		if (!dl_list_empty(&priv->ctrl_dst)) {
 			/*
@@ -599,12 +598,11 @@
 		if (buf == NULL)
 			goto free_dst;
 		if (os_strncmp(buf, "DIR=", 4) == 0) {
+			char *gid_str;
 			dir = buf + 4;
 			gid_str = os_strstr(dir, " GROUP=");
-			if (gid_str) {
+			if (gid_str)
 				*gid_str = '\0';
-				gid_str += 7;
-			}
 		} else
 			dir = buf;
 
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 5380b43..bfb33d5 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -1995,25 +1995,29 @@
 
 #ifdef CONFIG_TDLS
 
-static DBusMessage * get_peer_hwaddr_helper(DBusMessage *message,
-					    const char *func_name,
-					    u8 *peer_address)
+static int get_peer_hwaddr_helper(DBusMessage *message, const char *func_name,
+				  u8 *peer_address, DBusMessage **error)
 {
 	const char *peer_string;
 
+	*error = NULL;
+
 	if (!dbus_message_get_args(message, NULL,
 				   DBUS_TYPE_STRING, &peer_string,
-				   DBUS_TYPE_INVALID))
-		return wpas_dbus_error_invalid_args(message, NULL);
+				   DBUS_TYPE_INVALID)) {
+		*error = wpas_dbus_error_invalid_args(message, NULL);
+		return -1;
+	}
 
 	if (hwaddr_aton(peer_string, peer_address)) {
 		wpa_printf(MSG_DEBUG, "%s: invalid address '%s'",
 			   func_name, peer_string);
-		return wpas_dbus_error_invalid_args(
+		*error = wpas_dbus_error_invalid_args(
 			message, "Invalid hardware address format");
+		return -1;
 	}
 
-	return NULL;
+	return 0;
 }
 
 
@@ -2032,8 +2036,7 @@
 	DBusMessage *error_reply;
 	int ret;
 
-	error_reply = get_peer_hwaddr_helper(message, __func__, peer);
-	if (error_reply)
+	if (get_peer_hwaddr_helper(message, __func__, peer, &error_reply) < 0)
 		return error_reply;
 
 	wpa_printf(MSG_DEBUG, "DBUS TDLS_DISCOVER " MACSTR, MAC2STR(peer));
@@ -2067,8 +2070,7 @@
 	DBusMessage *error_reply;
 	int ret;
 
-	error_reply = get_peer_hwaddr_helper(message, __func__, peer);
-	if (error_reply)
+	if (get_peer_hwaddr_helper(message, __func__, peer, &error_reply) < 0)
 		return error_reply;
 
 	wpa_printf(MSG_DEBUG, "DBUS TDLS_SETUP " MACSTR, MAC2STR(peer));
@@ -2103,8 +2105,7 @@
 	DBusMessage *reply;
 	const char *tdls_status;
 
-	reply = get_peer_hwaddr_helper(message, __func__, peer);
-	if (reply)
+	if (get_peer_hwaddr_helper(message, __func__, peer, &reply) < 0)
 		return reply;
 
 	wpa_printf(MSG_DEBUG, "DBUS TDLS_STATUS " MACSTR, MAC2STR(peer));
@@ -2133,8 +2134,7 @@
 	DBusMessage *error_reply;
 	int ret;
 
-	error_reply = get_peer_hwaddr_helper(message, __func__, peer);
-	if (error_reply)
+	if (get_peer_hwaddr_helper(message, __func__, peer, &error_reply) < 0)
 		return error_reply;
 
 	wpa_printf(MSG_DEBUG, "DBUS TDLS_TEARDOWN " MACSTR, MAC2STR(peer));
diff --git a/wpa_supplicant/dbus/dbus_new_helpers.c b/wpa_supplicant/dbus/dbus_new_helpers.c
index e26086d..712bffc 100644
--- a/wpa_supplicant/dbus/dbus_new_helpers.c
+++ b/wpa_supplicant/dbus/dbus_new_helpers.c
@@ -840,7 +840,6 @@
 		return;
 	eloop_cancel_timeout(flush_object_timeout_handler, con, obj_desc);
 
-	dsc = obj_desc->properties;
 	for (dsc = obj_desc->properties, i = 0; dsc && dsc->dbus_property;
 	     dsc++, i++) {
 		if (obj_desc->prop_changed_flags == NULL ||
diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index a63ee6c..aff1950 100644
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -487,7 +487,10 @@
 	query->status_code = WPA_GET_LE16(pos);
 	pos += 2;
 
-	if (query->status_code != WLAN_STATUS_SUCCESS) {
+	if (query->status_code == WLAN_STATUS_QUERY_RESP_OUTSTANDING &&
+	    action == WLAN_PA_GAS_COMEBACK_RESP) {
+		wpa_printf(MSG_DEBUG, "GAS: Allow non-zero status for outstanding comeback response");
+	} else if (query->status_code != WLAN_STATUS_SUCCESS) {
 		wpa_printf(MSG_DEBUG, "GAS: Query to " MACSTR " dialog token "
 			   "%u failed - status code %u",
 			   MAC2STR(sa), dialog_token, query->status_code);
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 42fefb6..e3ad931 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -978,10 +978,6 @@
 			goto fail;
 	}
 
-	if (cred->password && cred->password[0] &&
-	    wpa_config_set_quoted(ssid, "password", cred->password) < 0)
-		goto fail;
-
 	wpa_s->next_ssid = ssid;
 	wpa_config_update_prio_list(wpa_s->conf);
 	interworking_reconnect(wpa_s);
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 0619f6d..7db6eb6 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -471,12 +471,11 @@
 
 	u8 i, j;
 
-	if (scan_res == NULL || num_neigh_rep == 0)
+	if (scan_res == NULL || num_neigh_rep == 0 || !wpa_s->current_bss)
 		return 0;
 
 	wpa_printf(MSG_DEBUG, "WNM: Current BSS " MACSTR " RSSI %d",
-		   MAC2STR(wpa_s->bssid),
-		   wpa_s->current_bss ? wpa_s->current_bss->level : 0);
+		   MAC2STR(wpa_s->bssid), wpa_s->current_bss->level);
 
 	for (i = 0; i < num_neigh_rep; i++) {
 		for (j = 0; j < scan_res->num; j++) {