|
|
@@ -3835,7 +3835,12 @@ util_scan_parse_eht_beacon(struct wlan_objmgr_pdev *pdev,
|
|
|
{
|
|
|
QDF_STATUS status = QDF_STATUS_SUCCESS;
|
|
|
|
|
|
- if (mbssid_ie) {
|
|
|
+ if (mbssid_ie && ie_list) {
|
|
|
+ if (ie_list[TAG_LEN_POS] <= 0) {
|
|
|
+ scm_debug_rl("Corrupt IE");
|
|
|
+ return QDF_STATUS_E_INVAL;
|
|
|
+ }
|
|
|
+
|
|
|
status = util_scan_parse_mbssid(pdev, frame, frame_len,
|
|
|
frm_subtype, rx_param,
|
|
|
scan_list);
|
|
|
@@ -3953,9 +3958,9 @@ util_scan_parse_beacon_frame(struct wlan_objmgr_pdev *pdev,
|
|
|
mbssid_ie = util_scan_find_ie(WLAN_ELEMID_MULTIPLE_BSSID,
|
|
|
(uint8_t *)&bcn->ie, ie_len);
|
|
|
if (mbssid_ie) {
|
|
|
- if (mbssid_ie[1] <= 0) {
|
|
|
+ if (mbssid_ie[TAG_LEN_POS] < VALID_ELEM_LEAST_LEN) {
|
|
|
scm_debug("MBSSID IE length is wrong %d",
|
|
|
- mbssid_ie[1]);
|
|
|
+ mbssid_ie[TAG_LEN_POS]);
|
|
|
return status;
|
|
|
}
|
|
|
qdf_mem_copy(&mbssid_info.trans_bssid,
|
Adwait Nayak