From d14e63a2aaa0ad3275053ffed7cdbd469a937358 Mon Sep 17 00:00:00 2001
From: Avraham Stern <avraham.stern@intel.com>
Date: Mon, 29 Feb 2016 14:30:00 +0200
Subject: [PATCH] WNM: Do not scan based on malformed BSS Transition Management
 Request

Verify that when the Candidate List Included bit is set in a BSS
Transition Management Request frame, the candidate list actually
includes at least one candidate. If no candidates are included, reject
the request without scanning.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
---
 wpa_supplicant/wnm_sta.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index b8f717e91..7d2a92faf 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -1120,6 +1120,17 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 
 			pos += len;
 		}
+
+		if (!wpa_s->wnm_num_neighbor_report) {
+			wpa_printf(MSG_DEBUG,
+				   "WNM: Candidate list included bit is set, but no candidates found");
+			wnm_send_bss_transition_mgmt_resp(
+				wpa_s, wpa_s->wnm_dialog_token,
+				WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES,
+				0, NULL);
+			return;
+		}
+
 		wnm_sort_cand_list(wpa_s);
 		wnm_dump_cand_list(wpa_s);
 		valid_ms = valid_int * beacon_int * 128 / 125;