WNM: Fix candidates count in BSS Transition Management Request

In BSS Transition Management Request frame, it is possible that vendor
specific IEs are included after the candidate list. In this case the
candidates count was incremented for each IE although the candidate list
is already over which could result in adding all zeros candidates into
the neighbor list.

Fix that by incrementing the candidates count only for neighbor report
elements.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 4da9124..b8f717e 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -1115,10 +1115,10 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
                                rep = &wpa_s->wnm_neighbor_report_elements[
                                        wpa_s->wnm_num_neighbor_report];
                                wnm_parse_neighbor_report(wpa_s, pos, len, rep);
+                               wpa_s->wnm_num_neighbor_report++;
                        }
 
                        pos += len;
-                       wpa_s->wnm_num_neighbor_report++;
                }
                wnm_sort_cand_list(wpa_s);
                wnm_dump_cand_list(wpa_s);