Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5f44ff8a authored by hangtian's avatar hangtian Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Invalid rem_len computation in roam stats evt handler 

rem_len is calculated based on MAX size of the WMI message
(WMI_SVC_MSG_MAX_SIZE) while extracting data from
WMI_ROAM_STATS_EVENTID event data.

Correct this by considering the actual message length
received in the event.

Change-Id: If24f732a8fdc0ad403e9b8a936ff8cfa0b7f7737
CRs-Fixed: 3035196
parent a0eaf52b

core/wma/src/wma_scan_roam.c

+1 −1
Original line number Diff line number Diff line
@@ -2192,7 +2192,7 @@ int wma_roam_stats_event_handler(WMA_HANDLE handle, uint8_t *event, 
		num_tlv = MAX_ROAM_SCAN_STATS_TLV;

	}



	rem_len = WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_param);

	rem_len = len - sizeof(*fixed_param);

	if (rem_len < num_tlv * sizeof(wmi_roam_trigger_reason)) {

		wma_err_rl("Invalid roam trigger data");

		goto err;