From 2b694b422f16926116fef2e868afa99d67078aa1 Mon Sep 17 00:00:00 2001
From: Will Huang <wilhuang@codeaurora.org>
Date: Fri, 6 Mar 2020 20:40:41 +0800
Subject: [PATCH] qcacld-2.0: Fix while condition in rrm_fill_beacon_ies()

In function rrm_fill_beacon_ies, do while loop is checked
for BcnNumIes if it is greater than IE length 0. Fix the
check to be greater than 2 as the first two bytes is IE
header(element ID and IE length fields both 1 byte each.)

Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4
CRs-Fixed: 2635664
---
 drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
index c0afd8f4868b..e924de593a89 100644
--- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -708,14 +708,14 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,
    *((tANI_U16*)pIes) = pBssDesc->capabilityInfo;
    *pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);
 
-   while ( BcnNumIes > 0 )
+   while ( BcnNumIes >= 2 )
    {
       len = *(pBcnIes + 1);
       len += 2;            //element id + length.
       limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
              *pBcnIes, *(pBcnIes+1), len );
 
-      if (BcnNumIes < len) {
+      if (BcnNumIes < len || len <= 2) {
           limLog(pMac, LOGE, "RRM: Invalid IE len: %d, exp_len: %d",
                  len, BcnNumIes);
           break;