aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsheenam monga <shebala@codeaurora.org>2020-03-11 15:34:39 +0530
committerJeferson Oliveira <jroliveira.oliveira301@gmail.com>2021-08-17 21:06:54 +0200
commit7f807a2688ee72658b587037b3659ae94b15853f (patch)
tree10751a6337f68b24857ede62d6b0f7dcad881f7f
parent666a4b38619b2f3d4ede766d085719a1a3929fff (diff)
wlan: check BcnNumIes against size of header instead of 0
Currently, for while loop BcnNumIes is checked against 0 which may cause OOB read for len = *(pBcnIes + 1). Fix is to check BcnNumIes against size of header i.e 2 instead of 0 to avoid 00B read. Change-Id: Id167410da790e449d36853d8505142e1b218e9b8 CRs-Fixed: 2635666 (cherry picked from commit 7957db59a545ac43b260401546f4bc72470783df)
Diffstat
-rw-r--r--drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c
index 2ddd349cb48..aca2007d592 100644
--- a/drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -737,7 +737,7 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,
*((tANI_U16*)pIes) = pBssDesc->capabilityInfo;
*pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);
- while ( BcnNumIes > 0 )
+ while ( BcnNumIes >= 2 )
{
len = *(pBcnIes + 1) + 2; //element id + length.
limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 00:06:14 +0000