correct ie length check; need to include fixed part of ie

MFC after:	2 weeks

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index c1c5d97..f278b73 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1819,7 +1819,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
 		scan.chan = scan.bchan;
 
 		while (efrm - frm > 1) {
-			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
+			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
 			switch (*frm) {
 			case IEEE80211_ELEMID_SSID:
 				scan.ssid = frm;
@@ -2066,7 +2066,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
 		 */
 		ssid = rates = xrates = NULL;
 		while (efrm - frm > 1) {
-			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
+			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
 			switch (*frm) {
 			case IEEE80211_ELEMID_SSID:
 				ssid = frm;
@@ -2243,7 +2243,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
 			frm += 6;	/* ignore current AP info */
 		ssid = rates = xrates = wpa = wme = NULL;
 		while (efrm - frm > 1) {
-			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
+			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
 			switch (*frm) {
 			case IEEE80211_ELEMID_SSID:
 				ssid = frm;
@@ -2449,7 +2449,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
 
 		rates = xrates = wpa = wme = NULL;
 		while (efrm - frm > 1) {
-			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
+			IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2);
 			switch (*frm) {
 			case IEEE80211_ELEMID_RATES:
 				rates = frm;