From da995b2e11f10c6e643d0a2ce43f24e81dd78dae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Thu, 12 Jun 2014 22:36:02 +0300
Subject: [PATCH] WNM: Use cleaner way of generating pointer to a field (CID
 68099)

The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/wnm_ap.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c
index 8e5bdcb06..cf25dbb68 100644
--- a/src/ap/wnm_ap.c
+++ b/src/ap/wnm_ap.c
@@ -376,10 +376,9 @@ int ieee802_11_rx_wnm_action_ap(struct hostapd_data *hapd,
 	if (len < IEEE80211_HDRLEN + 2)
 		return -1;
 
-	payload = &mgmt->u.action.category;
-	payload++;
+	payload = ((const u8 *) mgmt) + IEEE80211_HDRLEN + 1;
 	action = *payload++;
-	plen = (((const u8 *) mgmt) + len) - payload;
+	plen = len - IEEE80211_HDRLEN - 2;
 
 	switch (action) {
 	case WNM_BSS_TRANS_MGMT_QUERY: