diff options
| author | Raja Mani <rmani@qti.qualcomm.com> | 2013-10-28 12:20:00 +0530 |
|---|---|---|
| committer | Madan Mohan Koyyalamudi <mkoyyala@qca.qualcomm.com> | 2013-11-14 19:51:23 -0800 |
| commit | ca73848c5e8b8ef546839e83ccff060a67a841c3 (patch) | |
| tree | 04f7a4fce357823e13608b77dc0e04c8a398b6d5 | |
| parent | 4045682c2a7030fba593886b2c597dffad21a28c (diff) | |
cld: sme: Fix random crash in csrSavePnoScanResults
One byte variable (ieLen) was used in csrSavePnoScanResults() to
track IE length. Sometimes, IE comes from remote AP may exceed
256 bytes (more than one byte). Variable ieLen is defined as
tANI_U16 to fix this issue and also this patch eliminates local
variable pIesLocal usage in the same functon.
Change-Id: I3b7fb6168ff49f792946cf3e5d3f65bf9b271957
CRs-fixed: 567665
| -rw-r--r-- | CORE/SME/src/csr/csrApiScan.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/CORE/SME/src/csr/csrApiScan.c b/CORE/SME/src/csr/csrApiScan.c index caf345215e81..fa08212a9c55 100644 --- a/CORE/SME/src/csr/csrApiScan.c +++ b/CORE/SME/src/csr/csrApiScan.c @@ -4722,7 +4722,6 @@ tANI_BOOLEAN csrScanIsWildCardScan( tpAniSirGlobal pMac, tSmeCmd *pCommand ) eHalStatus csrSavePnoScanResults(tpAniSirGlobal pMac, tSirSmeScanRsp *pScanRsp) { tSirBssDescription *pSirBssDescription; - tDot11fBeaconIEs *pIesLocal = NULL; tANI_U32 cbScanResult = GET_FIELD_OFFSET( tSirSmeScanRsp, bssDescription ) + sizeof(tSirBssDescription); //We need at least one CB tCsrScanResult *pScanResult = NULL; @@ -4730,7 +4729,7 @@ eHalStatus csrSavePnoScanResults(tpAniSirGlobal pMac, tSirSmeScanRsp *pScanRsp) v_TIME_t timer; tANI_U32 cbParsed; tANI_U32 cbBssDesc; - tANI_U8 ieLen; + tANI_U16 ieLen; if ((cbScanResult > pScanRsp->length ) || (( eSIR_SME_SUCCESS != pScanRsp->statusCode ) && @@ -4760,10 +4759,9 @@ eHalStatus csrSavePnoScanResults(tpAniSirGlobal pMac, tSirSmeScanRsp *pScanRsp) } palZeroMemory( pMac->hHdd, pScanResult, sizeof(tCsrScanResult) + ieLen); - pIesLocal = (tDot11fBeaconIEs *)( pScanResult->Result.pvIes ); if (!HAL_STATUS_SUCCESS(csrGetParsedBssDescriptionIEs(pMac, - pSirBssDescription, &pIesLocal))) + pSirBssDescription, (tDot11fBeaconIEs **)&pScanResult->Result.pvIes))) { smsLog(pMac, LOGE, FL(" Cannot parse IEs")); csrFreeScanResultEntry(pMac, pScanResult); @@ -4778,9 +4776,12 @@ eHalStatus csrSavePnoScanResults(tpAniSirGlobal pMac, tSirSmeScanRsp *pScanRsp) // Remove duplicate entry csrRemoveDupBssDescription( pMac, &pScanResult->Result.BssDescriptor, - pIesLocal, &tmpSsid , &timer ); + (tDot11fBeaconIEs *)pScanResult->Result.pvIes, + &tmpSsid , &timer ); + //Add to scan cache - csrScanAddResult(pMac, pScanResult, pIesLocal); + csrScanAddResult(pMac, pScanResult, + (tDot11fBeaconIEs *)pScanResult->Result.pvIes); // skip over the BSS description to the next one... cbParsed += cbBssDesc; |