The RSN capability field may be the last two bytes in the IE.
802.11-2016 9.4.2.25.1 (General) doesn't require anything
afterwards - the PMKID/List and Group Management Cipher Suite
are optional.
Thus having a check of len > 2 will miss the situation where it
IS the last field.
This showed up when developing MFP, as I'm using optional MFP
at home and optional MFP doesn't encrypt group management frames.
(It should only add the BIP message integrity check IE in each
action frame.)