diff options
| author | Arif Hussain <arifhussain@codeaurora.org> | 2017-10-18 15:33:11 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-10-18 16:49:08 -0700 |
| commit | 76f291b42a95f145a7b763865f8ec75a445a3129 (patch) | |
| tree | cb46dca65ffbd79f3748f63c81625ecf54f3963c | |
| parent | c89fe423bc46972bc3f6f82b5d950ef2d497edda (diff) | |
qcacld-3.0: Fix the wrap-around issue in rrm_fill_beacon_ies
Currently BcnNumIes is uint8_t, which is used to hold ie length,
and it cannot be used to hold if ie length is greater than 255,
it will wrap-around to zero or smaller number.
So change BcnNumIes variable type from uint8_t to uint16_t.
Also change to bss desc copy logic in
sme_rrm_send_beacon_report_xmit_ind function.
Change-Id: Ie92a9afbf6e3674a0730f5f48210424b1d34386d
CRs-Fixed: 2124579
| -rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 4 | ||||
| -rw-r--r-- | core/sme/src/rrm/sme_rrm.c | 14 |
2 files changed, 7 insertions, 11 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 8f36c0f2f490..26c208178517 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -694,7 +694,7 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, uint8_t *eids, uint8_t numEids, tpSirBssDescription pBssDesc) { uint8_t len, *pBcnIes, count = 0, i; - uint8_t BcnNumIes; + uint16_t BcnNumIes; if ((pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL)) { pe_err("Invalid parameters"); @@ -704,7 +704,7 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, numEids = (eids == NULL) ? 0 : numEids; pBcnIes = (uint8_t *) &pBssDesc->ieFields[0]; - BcnNumIes = (uint8_t) GET_IE_LEN_IN_BSS(pBssDesc->length); + BcnNumIes = GET_IE_LEN_IN_BSS(pBssDesc->length); *pNumIes = 0; diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c index e770d4d26bee..2188ed178550 100644 --- a/core/sme/src/rrm/sme_rrm.c +++ b/core/sme/src/rrm/sme_rrm.c @@ -172,7 +172,8 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx, { tpSirBssDescription bss_desc = NULL; tpSirBeaconReportXmitInd beacon_rep; - uint16_t length, ie_len, tot_len; + uint16_t length; + uint32_t size; uint8_t i = 0, j = 0, counter = 0; tCsrScanResultInfo *cur_result = NULL; QDF_STATUS status = QDF_STATUS_E_FAILURE; @@ -207,18 +208,13 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx, bss_desc = &cur_result->BssDescriptor; if (bss_desc == NULL) break; - ie_len = GET_IE_LEN_IN_BSS(bss_desc->length); - tot_len = ie_len + sizeof(*bss_desc); - beacon_rep->pBssDescription[i] = - qdf_mem_malloc(tot_len); + size = bss_desc->length + sizeof(bss_desc->length); + beacon_rep->pBssDescription[i] = qdf_mem_malloc(size); if (NULL == beacon_rep->pBssDescription[i]) break; qdf_mem_copy(beacon_rep->pBssDescription[i], - bss_desc, sizeof(tSirBssDescription)); - qdf_mem_copy( - &beacon_rep->pBssDescription[i]->ieFields[0], - bss_desc->ieFields, ie_len); + bss_desc, size); bss_desc_to_free[i] = beacon_rep->pBssDescription[i]; sme_debug("RRM Result Bssid = " MAC_ADDRESS_STR |
