Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Fix while condition in rrm_fill_beacon_ies() 

In function rrm_fill_beacon_ies, do while loop is checked
for BcnNumIes if it is greater than IE length 0. Fix the
check to be greater than 2 as the first two bytes is IE
header(element ID and IE length fields both 1 byte each.)

Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4
CRs-Fixed: 2635664
This commit is contained in:
Will Huang 2020-03-06 20:40:41 +08:00 committed by syphyr
parent 187d27cc7e
commit 2b694b422f
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
View File

@ -708,14 +708,14 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,
*((tANI_U16*)pIes) = pBssDesc->capabilityInfo;
*pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);
while ( BcnNumIes > 0 )
while ( BcnNumIes >= 2 )
{
len = *(pBcnIes + 1);
len += 2; //element id + length.
limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
*pBcnIes, *(pBcnIes+1), len );
if (BcnNumIes < len) {
if (BcnNumIes < len || len <= 2) {
limLog(pMac, LOGE, "RRM: Invalid IE len: %d, exp_len: %d",
len, BcnNumIes);
break;