qcacld-2.0: Update correct msg length in oemData_SendMBOemDataReq API

In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.

Fix is to update messageLen with size of struct.

Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175

1 files changed, 1 insertions, 3 deletions

diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c
index 3e42350e80fc..fc3f91cf6ba6 100644
--- a/CORE/SME/src/oemData/oemDataApi.c
+++ b/CORE/SME/src/oemData/oemDataApi.c
@@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
 {
     eHalStatus status = eHAL_STATUS_SUCCESS;
     tSirOemDataReq* pMsg;
-    tANI_U16 msgLen;
     tCsrRoamSession *pSession;
 
     smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__);
@@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
         return eHAL_STATUS_FAILURE;
     }
 
-    msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len);
     pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ);
-    pMsg->messageLen = pal_cpu_to_be16(msgLen);
+    pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg));
     vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) );
     pMsg->data_len = pOemDataReq->data_len;
     /* Incoming buffer ptr saved, set to null to avoid free by caller */