Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6ab54225 authored by sheenam monga's avatar sheenam monga
Browse files

wlan: check BcnNumIes against size of header instead of 0 

Currently, for while loop BcnNumIes is checked against 0
which may cause OOB read for len = *(pBcnIes + 1).

Fix is to check BcnNumIes against size of header i.e 2 instead
of 0 to avoid 00B read.

Change-Id: Id167410da790e449d36853d8505142e1b218e9b8
CRs-Fixed: 2635666
parent fc0085b8

CORE/MAC/src/pe/rrm/rrmApi.c

+1 −1
Original line number Diff line number Diff line
@@ -704,7 +704,7 @@ rrmFillBeaconIes( tpAniSirGlobal pMac, 
   *((tANI_U16*)pIes) = pBssDesc->capabilityInfo;

   *pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);



   while ( BcnNumIes > 0 )

   while ( BcnNumIes >= 2 )

   {

      len = *(pBcnIes + 1); //element id + length.

      len += 2;