253 	const u8 *pos = frm; /* point to payload after the action field */
278 	pos += 3 + key_len_total;
279 	while (pos - frm + 1 < len) {
280 		u8 ie_len = *(pos + 1);
281 		if (2 + ie_len > frm + len - pos) {
285 		wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len);
286 		if (*pos == WLAN_EID_WNMSLEEP && ie_len >= 4)
287 			wnmsleep_ie = (struct wnm_sleep_element *) pos;
288 		else if (*pos == WLAN_EID_TFS_RESP) {
290 				tfsresp_ie_start = pos;
291 			tfsresp_ie_end = pos;
293 			wpa_printf(MSG_DEBUG, "EID %d not recognized", *pos);
294 		pos += ie_len + 2;
343 					   u8 id, u8 elen, const u8 *pos)
351 		rep->tsf_offset = WPA_GET_LE16(pos);
352 		rep->beacon_int = WPA_GET_LE16(pos + 2);
361 		os_memcpy(rep->country, pos, 2);
370 		rep->preference = pos[0];
374 		rep->bss_term_tsf = WPA_GET_LE64(pos);
375 		rep->bss_term_dur = WPA_GET_LE16(pos + 8);
384 		rep->bearing = WPA_GET_LE16(pos);
385 		rep->distance = WPA_GET_LE32(pos + 2);
386 		rep->rel_height = WPA_GET_LE16(pos + 2 + 4);
399 		rep->meas_pilot->measurement_pilot = pos[0];
401 		os_memcpy(rep->meas_pilot->subelems, pos + 1, elen - 1);
409 		os_memcpy(rep->rm_capab, pos, 5);
421 		rep->mul_bssid->max_bssid_indicator = pos[0];
423 		os_memcpy(rep->mul_bssid->subelems, pos + 1, elen - 1);
461 				      const u8 *pos, u8 len,
471 	os_memcpy(rep->bssid, pos, ETH_ALEN);
472 	rep->bssid_info = WPA_GET_LE32(pos + ETH_ALEN);
473 	rep->regulatory_class = *(pos + 10);
474 	rep->channel_number = *(pos + 11);
475 	rep->phy_type = *(pos + 12);
477 	pos += 13;
483 		id = *pos++;
484 		elen = *pos++;
492 		wnm_parse_neighbor_report_elem(rep, id, elen, pos);
494 		pos += elen;
655 	u8 *pos = buf;
663 	*pos++ = WLAN_EID_NEIGHBOR_REPORT;
665 	*pos++ = 16;
666 	os_memcpy(pos, bssid, ETH_ALEN);
667 	pos += ETH_ALEN;
668 	WPA_PUT_LE32(pos, bss_info);
669 	pos += 4;
670 	*pos++ = op_class;
671 	*pos++ = chan;
672 	*pos++ = phy_type;
673 	*pos++ = WNM_NEIGHBOR_BSS_TRANSITION_CANDIDATE;
674 	*pos++ = 1;
675 	*pos++ = pref;
676 	return pos - buf;
737 	u8 *pos = buf;
760 			res = wnm_nei_rep_add_bss(wpa_s, bss, pos, len, pref--);
768 			pos += res;
775 		    buf, pos - buf);
777 	return pos - buf;
786 	u8 buf[2000], *pos;
812 	pos = mgmt->u.action.u.bss_tm_resp.variable;
814 		os_memcpy(pos, target_bssid, ETH_ALEN);
815 		pos += ETH_ALEN;
822 		os_memset(pos, 0, ETH_ALEN);
823 		pos += ETH_ALEN;
827 		pos += wnm_add_cand_list(wpa_s, pos, buf + sizeof(buf) - pos);
831 		pos += wpas_mbo_ie_bss_trans_reject(
832 			wpa_s, pos, buf + sizeof(buf) - pos,
837 	len = pos - (u8 *) &mgmt->u.action.category;
1133 					     const u8 *pos, const u8 *end,
1142 	if (end - pos < 5)
1150 	wpa_s->wnm_dialog_token = pos[0];
1151 	wpa_s->wnm_mode = pos[1];
1152 	wpa_s->wnm_dissoc_timer = WPA_GET_LE16(pos + 2);
1153 	valid_int = pos[4];
1175 	pos += 5;
1178 		if (end - pos < 12) {
1182 		os_memcpy(wpa_s->wnm_bss_termination_duration, pos, 12);
1183 		pos += 12; /* BSS Termination Duration */
1189 		if (end - pos < 1 || 1 + pos[0] > end - pos) {
1194 		os_memcpy(url, pos + 1, pos[0]);
1195 		url[pos[0]] = '\0';
1196 		pos += 1 + pos[0];
1215 	vendor = get_ie(pos, end - pos, WLAN_EID_VENDOR_SPECIFIC);
1231 		while (end - pos >= 2 &&
1234 			u8 tag = *pos++;
1235 			u8 len = *pos++;
1239 			if (len > end - pos) {
1247 				wnm_parse_neighbor_report(wpa_s, pos, len, rep);
1251 			pos += len;
1333 	u8 buf[2000], *pos;
1354 	pos = mgmt->u.action.u.bss_tm_query.variable;
1357 		pos += wnm_add_cand_list(wpa_s, pos, buf + sizeof(buf) - pos);
1359 	len = pos - (u8 *) &mgmt->u.action.category;
1373 	const u8 *pos, *end, *next;
1376 	pos = data;
1379 	while (end - pos > 1) {
1380 		ie = *pos++;
1381 		ie_len = *pos++;
1384 		if (ie_len > end - pos) {
1389 		next = pos + ie_len;
1391 			pos = next;
1395 			   WPA_GET_BE24(pos), pos[3]);
1399 		    WPA_GET_BE24(pos) == OUI_WFA &&
1400 		    pos[3] == HS20_WNM_SUB_REM_NEEDED) {
1409 			ie_end = pos + ie_len;
1410 			pos += 4;
1411 			url_len = *pos++;
1417 				if (url_len + 1 > ie_end - pos) {
1420 						   (int) (ie_end - pos));
1426 				os_memcpy(url, pos, url_len);
1428 				osu_method = pos[url_len];
1433 			pos = next;
1438 		    WPA_GET_BE24(pos) == OUI_WFA &&
1439 		    pos[3] == HS20_WNM_DEAUTH_IMMINENT_NOTICE) {
1446 			ie_end = pos + ie_len;
1447 			pos += 4;
1448 			code = *pos++;
1449 			reauth_delay = WPA_GET_LE16(pos);
1450 			pos += 2;
1451 			url_len = *pos++;
1456 			if (url_len > ie_end - pos)
1461 			os_memcpy(url, pos, url_len);
1466 			pos = next;
1471 		pos = next;
1479 	const u8 *pos, *end;
1487 	pos = frm;
1488 	dialog_token = *pos++;
1489 	type = *pos++;
1495 		    pos, end - pos);
1506 		ieee802_11_rx_wnm_notif_req_wfa(wpa_s, sa, pos, end - pos);
1519 	const u8 *pos, *end;
1525 	pos = ((const u8 *) mgmt) + IEEE80211_HDRLEN + 1;
1526 	act = *pos++;
1540 		ieee802_11_rx_bss_trans_mgmt_req(wpa_s, pos, end,
1544 		ieee802_11_rx_wnmsleep_resp(wpa_s, pos, end - pos);
1547 		ieee802_11_rx_wnm_notif_req(wpa_s, mgmt->sa, pos, end - pos);

Indexes created Sun Sep 10 09:05:34 CEST 2017