summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArif Hussain <arifhussain@codeaurora.org>2017-10-18 15:33:11 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2017-10-18 16:49:08 -0700
commit76f291b42a95f145a7b763865f8ec75a445a3129 (patch)
treecb46dca65ffbd79f3748f63c81625ecf54f3963c
parentc89fe423bc46972bc3f6f82b5d950ef2d497edda (diff)
qcacld-3.0: Fix the wrap-around issue in rrm_fill_beacon_ies
Currently BcnNumIes is uint8_t, which is used to hold ie length, and it cannot be used to hold if ie length is greater than 255, it will wrap-around to zero or smaller number. So change BcnNumIes variable type from uint8_t to uint16_t. Also change to bss desc copy logic in sme_rrm_send_beacon_report_xmit_ind function. Change-Id: Ie92a9afbf6e3674a0730f5f48210424b1d34386d CRs-Fixed: 2124579
-rw-r--r--core/mac/src/pe/rrm/rrm_api.c4
-rw-r--r--core/sme/src/rrm/sme_rrm.c14
2 files changed, 7 insertions, 11 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c
index 8f36c0f2f490..26c208178517 100644
--- a/core/mac/src/pe/rrm/rrm_api.c
+++ b/core/mac/src/pe/rrm/rrm_api.c
@@ -694,7 +694,7 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac,
uint8_t *eids, uint8_t numEids, tpSirBssDescription pBssDesc)
{
uint8_t len, *pBcnIes, count = 0, i;
- uint8_t BcnNumIes;
+ uint16_t BcnNumIes;
if ((pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL)) {
pe_err("Invalid parameters");
@@ -704,7 +704,7 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac,
numEids = (eids == NULL) ? 0 : numEids;
pBcnIes = (uint8_t *) &pBssDesc->ieFields[0];
- BcnNumIes = (uint8_t) GET_IE_LEN_IN_BSS(pBssDesc->length);
+ BcnNumIes = GET_IE_LEN_IN_BSS(pBssDesc->length);
*pNumIes = 0;
diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c
index e770d4d26bee..2188ed178550 100644
--- a/core/sme/src/rrm/sme_rrm.c
+++ b/core/sme/src/rrm/sme_rrm.c
@@ -172,7 +172,8 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx,
{
tpSirBssDescription bss_desc = NULL;
tpSirBeaconReportXmitInd beacon_rep;
- uint16_t length, ie_len, tot_len;
+ uint16_t length;
+ uint32_t size;
uint8_t i = 0, j = 0, counter = 0;
tCsrScanResultInfo *cur_result = NULL;
QDF_STATUS status = QDF_STATUS_E_FAILURE;
@@ -207,18 +208,13 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx,
bss_desc = &cur_result->BssDescriptor;
if (bss_desc == NULL)
break;
- ie_len = GET_IE_LEN_IN_BSS(bss_desc->length);
- tot_len = ie_len + sizeof(*bss_desc);
- beacon_rep->pBssDescription[i] =
- qdf_mem_malloc(tot_len);
+ size = bss_desc->length + sizeof(bss_desc->length);
+ beacon_rep->pBssDescription[i] = qdf_mem_malloc(size);
if (NULL ==
beacon_rep->pBssDescription[i])
break;
qdf_mem_copy(beacon_rep->pBssDescription[i],
- bss_desc, sizeof(tSirBssDescription));
- qdf_mem_copy(
- &beacon_rep->pBssDescription[i]->ieFields[0],
- bss_desc->ieFields, ie_len);
+ bss_desc, size);
bss_desc_to_free[i] =
beacon_rep->pBssDescription[i];
sme_debug("RRM Result Bssid = " MAC_ADDRESS_STR