Fix the handling of unknown tagged parameters in management frames.

Fetch the element length early in the process, rather than fetching it
each time we need it - even after we've advanced the pointer we are
using to fetch it (doing the latter means we fetch the wrong value when
we subtract it from the remaining length).

diff --git a/print-802_11.c b/print-802_11.c
index 385e6cb63ebe4a8243c89520a98edde1623110d6..64c9f24db9798d84dc14dec2af3e1dcb83675e3d 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -269,6 +269,7 @@ static int
 parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset,
     u_int length)
 {
+       u_int elementlen;
        struct ssid_t ssid;
        struct challenge_t challenge;
        struct rates_t rates;
@@ -487,12 +488,13 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset,
                                return 0;
                        if (length < 2)
                                return 0;
-                       if (!TTEST2(*(p + offset + 2), *(p + offset + 1)))
+                       elementlen = *(p + offset + 1);
+                       if (!TTEST2(*(p + offset + 2), elementlen))
                                return 0;
-                       if (length < (u_int)(*(p + offset + 1) + 2))
+                       if (length < elementlen + 2)
                                return 0;
-                       offset += *(p + offset + 1) + 2;
-                       length -= *(p + offset + 1) + 2;
+                       offset += elementlen + 2;
+                       length -= elementlen + 2;
                        break;
                }
        }