qcacld-3.0: Use variable length for Ext Cap IE

qcacld-2.0 to qcacld-3.0 propagation

Previously Ext Cap IE length is defined as 8 or 9. In practice,
some AP send beacon or probe resp with Exp Cap IE length less
than 8, then dot11f may decode it to invalid value.

To fix this, use variable length (support from 1 to 9) for
Ext Cap IE.

Change-Id: I910edfddf3ea64bc3000b6e7803dc57a50399dbb
CRs-Fixed: 1052140

core/mac/src/cfg/cfgUtil/dot11f.frms

@@ -2302,7 +2302,7 @@ IE ChannelSwitchWrapper (EID_CHANNEL_SWITCH_WRAPPER)
 }
 IE ExtCap (EID_EXT_CAP)
 {
-    bytes[8..9];
+    bytes[1..9];
 }
 
 IE HTCaps (EID_HT_CAPABILITIES)

core/mac/src/include/dot11f.h

@@ -35,7 +35,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Fri Jan  6 16:25:25 2017 from the following file(s):
+ * Mon Jan 23 14:07:41 2017 from the following file(s):
  *
  * dot11f.frms
  *
@@ -4352,7 +4352,7 @@ typedef struct sDot11fIEExtCap {
 #define DOT11F_EID_EXTCAP (127)
 
 /* N.B. These #defines do *not* include the EID & length */
-#define DOT11F_IE_EXTCAP_MIN_LEN (8)
+#define DOT11F_IE_EXTCAP_MIN_LEN (1)
 
 #define DOT11F_IE_EXTCAP_MAX_LEN (9)
 

core/mac/src/pe/lim/lim_process_tdls.c

@@ -395,8 +395,7 @@ static void populate_dot11f_tdls_ext_capability(tpAniSirGlobal pMac,
 	p_ext_cap->tdls_prohibited = TDLS_PROHIBITED;
 
 	extCapability->present = 1;
-	/* For STA cases we alwasy support 11mc - Allow MAX length */
-	extCapability->num_bytes = DOT11F_IE_EXTCAP_MAX_LEN;
+	extCapability->num_bytes = lim_compute_ext_cap_ie_length(extCapability);
 
 	return;
 }

core/mac/src/pe/lim/lim_send_management_frames.c

@@ -346,17 +346,6 @@ lim_send_probe_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 		populate_dot11f_ext_cap(mac_ctx, is_vht_enabled, &pr.ExtCap,
 			pesession);
 
-	/* That's it-- now we pack it.  First, how much space are we going to */
-	status = dot11f_get_packed_probe_request_size(mac_ctx, &pr, &payload);
-	if (DOT11F_FAILED(status)) {
-		lim_log(mac_ctx, LOGP, FL("Failed to calculate the packed size for a Probe Request (0x%08x)."), status);
-		/* We'll fall back on the worst case scenario: */
-		payload = sizeof(tDot11fProbeRequest);
-	} else if (DOT11F_WARNED(status)) {
-		lim_log(mac_ctx, LOGW,
-			FL("There were warnings while calculating the packed size for a Probe Request (0x%08x)."), status);
-	}
-
 	if (addn_ielen) {
 		qdf_mem_zero((uint8_t *)&extracted_ext_cap,
 			sizeof(tDot11fIEExtCap));
@@ -373,11 +362,36 @@ lim_send_probe_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 					extracted_ext_cap.bytes;
 			if (p_ext_cap->interworking_service)
 				p_ext_cap->qos_map = 1;
+			extracted_ext_cap.num_bytes =
+				lim_compute_ext_cap_ie_length
+					(&extracted_ext_cap);
 			extracted_ext_cap_flag =
-				lim_is_ext_cap_ie_present(p_ext_cap);
+				(extracted_ext_cap.num_bytes > 0);
 		}
 	}
 
+	/*
+	 * Extcap IE now support variable length, merge Extcap IE from addn_ie
+	 * may change the frame size. Therefore, MUST merge ExtCap IE before
+	 * dot11f get packed payload size.
+	 */
+	if (extracted_ext_cap_flag)
+		lim_merge_extcap_struct(&pr.ExtCap, &extracted_ext_cap);
+
+	/* That's it-- now we pack it.  First, how much space are we going to */
+	status = dot11f_get_packed_probe_request_size(mac_ctx, &pr, &payload);
+	if (DOT11F_FAILED(status)) {
+		lim_log(mac_ctx, LOGE,
+			FL("Failed to calculate the packed size for a Probe Request (0x%08x)."),
+			status);
+		/* We'll fall back on the worst case scenario: */
+		payload = sizeof(tDot11fProbeRequest);
+	} else if (DOT11F_WARNED(status)) {
+		lim_log(mac_ctx, LOGW,
+			FL("There were warnings while calculating the packed size for a Probe Request (0x%08x)."),
+			status);
+	}
+
 	bytes = payload + sizeof(tSirMacMgmtHdr) + addn_ielen;
 
 	/* Ok-- try to allocate some memory: */
@@ -394,10 +408,6 @@ lim_send_probe_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 	lim_populate_mac_header(mac_ctx, frame, SIR_MAC_MGMT_FRAME,
 		SIR_MAC_MGMT_PROBE_REQ, bssid, self_macaddr);
 
-	/* merge the ExtCap struct*/
-	if (extracted_ext_cap_flag)
-		lim_merge_extcap_struct(&pr.ExtCap, &extracted_ext_cap);
-
 	/* That done, pack the Probe Request: */
 	status = dot11f_pack_probe_request(mac_ctx, &pr, frame +
 					    sizeof(tSirMacMgmtHdr),
@@ -533,7 +543,7 @@ lim_send_probe_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 {
 	tDot11fProbeResponse *frm;
 	tSirRetStatus sir_status;
-	uint32_t cfg, payload, bytes, status;
+	uint32_t cfg, payload, bytes = 0, status;
 	tpSirMacMgmtHdr mac_hdr;
 	uint8_t *frame;
 	void *packet = NULL;
@@ -699,21 +709,6 @@ lim_send_probe_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 			&frm->WAPI);
 #endif /* defined(FEATURE_WLAN_WAPI) */
 
-	status = dot11f_get_packed_probe_response_size(mac_ctx, frm, &payload);
-	if (DOT11F_FAILED(status)) {
-		lim_log(mac_ctx, LOGP,
-			FL("Probe Response size error (0x%08x)."),
-			status);
-		/* We'll fall back on the worst case scenario: */
-		payload = sizeof(tDot11fProbeResponse);
-	} else if (DOT11F_WARNED(status)) {
-		lim_log(mac_ctx, LOGW,
-			FL("Probe Response size warning (0x%08x)."),
-			status);
-	}
-
-	bytes = payload + sizeof(tSirMacMgmtHdr);
-
 	if (mac_ctx->lim.gpLimRemainOnChanReq)
 		bytes += (mac_ctx->lim.gpLimRemainOnChanReq->length -
 			 sizeof(tSirRemainOnChnReq));
@@ -777,6 +772,29 @@ lim_send_probe_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 		}
 	}
 
+	/*
+	 * Extcap IE now support variable length, merge Extcap IE from addn_ie
+	 * may change the frame size. Therefore, MUST merge ExtCap IE before
+	 * dot11f get packed payload size.
+	 */
+	if (extracted_ext_cap_flag)
+		lim_merge_extcap_struct(&frm->ExtCap, &extracted_ext_cap);
+
+	status = dot11f_get_packed_probe_response_size(mac_ctx, frm, &payload);
+	if (DOT11F_FAILED(status)) {
+		lim_log(mac_ctx, LOGE,
+			FL("Probe Response size error (0x%08x)."),
+			status);
+		/* We'll fall back on the worst case scenario: */
+		payload = sizeof(tDot11fProbeResponse);
+	} else if (DOT11F_WARNED(status)) {
+		lim_log(mac_ctx, LOGW,
+			FL("Probe Response size warning (0x%08x)."),
+			status);
+	}
+
+	bytes += payload + sizeof(tSirMacMgmtHdr);
+
 	qdf_status = cds_packet_alloc((uint16_t) bytes, (void **)&frame,
 				      (void **)&packet);
 	if (!QDF_IS_STATUS_SUCCESS(qdf_status)) {
@@ -795,10 +813,6 @@ lim_send_probe_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 	sir_copy_mac_addr(mac_hdr->bssId, pe_session->bssId);
 
-	/* merge ExtCap IE */
-	if (extracted_ext_cap_flag)
-		lim_merge_extcap_struct(&frm->ExtCap, &extracted_ext_cap);
-
 	/* That done, pack the Probe Response: */
 	status =
 		dot11f_pack_probe_response(mac_ctx, frm,
@@ -1120,7 +1134,7 @@ lim_send_assoc_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 	tSirRetStatus sir_status;
 	uint8_t lle_mode = 0, addts;
 	tHalBitVal qos_mode, wme_mode;
-	uint32_t payload, bytes, status;
+	uint32_t payload, bytes = 0, status;
 	void *packet;
 	QDF_STATUS qdf_status;
 	tUpdateBeaconParams beacon_params;
@@ -1316,20 +1330,6 @@ lim_send_assoc_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 		sch_set_fixed_beacon_fields(mac_ctx, pe_session);
 		lim_send_beacon_params(mac_ctx, &beacon_params, pe_session);
 	}
-	/* Allocate a buffer for this frame: */
-	status = dot11f_get_packed_assoc_response_size(mac_ctx, &frm, &payload);
-	if (DOT11F_FAILED(status)) {
-		lim_log(mac_ctx, LOGE,
-			FL("get Association Response size failure (0x%08x)."),
-			status);
-		return;
-	} else if (DOT11F_WARNED(status)) {
-		lim_log(mac_ctx, LOGW,
-			FL("get Association Response size warning (0x%08x)."),
-			status);
-	}
-
-	bytes = sizeof(tSirMacMgmtHdr) + payload;
 
 	if (assoc_req != NULL) {
 		addn_ie_len = pe_session->addIeParams.assocRespDataLen;
@@ -1363,6 +1363,30 @@ lim_send_assoc_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 			FL("addn_ie_len = %d for Assoc Resp : %d"),
 			addn_ie_len, assoc_req->addIEPresent);
 	}
+
+	/*
+	 * Extcap IE now support variable length, merge Extcap IE from addn_ie
+	 * may change the frame size. Therefore, MUST merge ExtCap IE before
+	 * dot11f get packed payload size.
+	 */
+	if (extracted_flag)
+		lim_merge_extcap_struct(&(frm.ExtCap), &extracted_ext_cap);
+
+	/* Allocate a buffer for this frame: */
+	status = dot11f_get_packed_assoc_response_size(mac_ctx, &frm, &payload);
+	if (DOT11F_FAILED(status)) {
+		lim_log(mac_ctx, LOGE,
+			FL("get Association Response size failure (0x%08x)."),
+			status);
+		return;
+	} else if (DOT11F_WARNED(status)) {
+		lim_log(mac_ctx, LOGW,
+			FL("get Association Response size warning (0x%08x)."),
+			status);
+	}
+
+	bytes += sizeof(tSirMacMgmtHdr) + payload;
+
 	qdf_status = cds_packet_alloc((uint16_t) bytes, (void **)&frame,
 				      (void **)&packet);
 	if (!QDF_IS_STATUS_SUCCESS(qdf_status)) {
@@ -1382,9 +1406,6 @@ lim_send_assoc_rsp_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 	sir_copy_mac_addr(mac_hdr->bssId, pe_session->bssId);
 
-	/* merge the ExtCap struct */
-	if (extracted_flag)
-		lim_merge_extcap_struct(&(frm.ExtCap), &extracted_ext_cap);
 	status = dot11f_pack_assoc_response(mac_ctx, &frm,
 					     frame + sizeof(tSirMacMgmtHdr),
 					     payload, &payload);
@@ -1622,7 +1643,7 @@ lim_send_assoc_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 	uint8_t *frame;
 	tSirRetStatus sir_status;
 	tLimMlmAssocCnf assoc_cnf;
-	uint32_t bytes, payload, status;
+	uint32_t bytes = 0, payload, status;
 	uint8_t qos_enabled, wme_enabled, wsm_enabled;
 	void *packet;
 	QDF_STATUS qdf_status;
@@ -1657,6 +1678,7 @@ lim_send_assoc_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 		lim_log(mac_ctx, LOGE, FL("Unable to allocate memory"));
 		return;
 	}
+	qdf_mem_set((uint8_t *) frm, sizeof(tDot11fAssocRequest), 0);
 
 	if (add_ie_len && pe_session->is_ext_caps_present) {
 		qdf_mem_set((uint8_t *) &extr_ext_cap, sizeof(tDot11fIEExtCap),
@@ -1673,7 +1695,9 @@ lim_send_assoc_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 			if (p_ext_cap->interworking_service)
 				p_ext_cap->qos_map = 1;
-			extr_ext_flag = lim_is_ext_cap_ie_present(p_ext_cap);
+			extr_ext_cap.num_bytes =
+				lim_compute_ext_cap_ie_length(&extr_ext_cap);
+			extr_ext_flag = (extr_ext_cap.num_bytes > 0);
 		}
 	} else {
 		lim_log(mac_ctx, LOG1,
@@ -1876,6 +1900,14 @@ lim_send_assoc_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 	}
 #endif
 
+	/*
+	 * Extcap IE now support variable length, merge Extcap IE from addn_ie
+	 * may change the frame size. Therefore, MUST merge ExtCap IE before
+	 * dot11f get packed payload size.
+	 */
+	if (extr_ext_flag)
+		lim_merge_extcap_struct(&frm->ExtCap, &extr_ext_cap);
+
 	status = dot11f_get_packed_assoc_request_size(mac_ctx, frm, &payload);
 	if (DOT11F_FAILED(status)) {
 		lim_log(mac_ctx, LOGP,
@@ -1922,9 +1954,6 @@ lim_send_assoc_req_mgmt_frame(tpAniSirGlobal mac_ctx,
 	lim_populate_mac_header(mac_ctx, frame, SIR_MAC_MGMT_FRAME,
 		SIR_MAC_MGMT_ASSOC_REQ, pe_session->bssId,
 		pe_session->selfMacAddr);
-	/* merge the ExtCap struct */
-	if (extr_ext_flag)
-		lim_merge_extcap_struct(&frm->ExtCap, &extr_ext_cap);
 	/* That done, pack the Assoc Request: */
 	status = dot11f_pack_assoc_request(mac_ctx, frm,
 			frame + sizeof(tSirMacMgmtHdr), payload, &payload);

core/mac/src/pe/lim/lim_utils.c

@@ -6809,10 +6809,10 @@ void lim_update_extcap_struct(tpAniSirGlobal mac_ctx,
 	}
 
 	qdf_mem_set((uint8_t *)&out[0], DOT11F_IE_EXTCAP_MAX_LEN, 0);
-	qdf_mem_copy(&out[0], &buf[2], DOT11F_IE_EXTCAP_MAX_LEN);
+	qdf_mem_copy(&out[0], &buf[2], buf[1]);
 
 	if (DOT11F_PARSE_SUCCESS != dot11f_unpack_ie_ext_cap(mac_ctx, &out[0],
-					DOT11F_IE_EXTCAP_MAX_LEN, dst))
+					buf[1], dst))
 		lim_log(mac_ctx, LOGE, FL("dot11f_unpack Parse Error "));
 }
 
@@ -6873,6 +6873,8 @@ void lim_merge_extcap_struct(tDot11fIEExtCap *dst,
 		tempdst++;
 		tempsrc++;
 	}
+	dst->present |= src->present;
+	dst->num_bytes = lim_compute_ext_cap_ie_length(dst);
 }
 
 /**
@@ -7129,24 +7131,23 @@ bool lim_is_robust_mgmt_action_frame(uint8_t action_category)
 }
 
 /**
- * lim_is_ext_cap_ie_present - checks if ext ie is present
+ * lim_compute_ext_cap_ie_length - compute the length of ext cap ie
+ * based on the bits set
  * @ext_cap: extended IEs structure
  *
- * Return: true if ext IEs are present else false
+ * Return: length of the ext cap ie, 0 means should not present
  */
-bool lim_is_ext_cap_ie_present (struct s_ext_cap *ext_cap)
+uint8_t lim_compute_ext_cap_ie_length(tDot11fIEExtCap *ext_cap)
 {
-	int i, size;
-	uint8_t *tmp_buf;
+	uint8_t i = DOT11F_IE_EXTCAP_MAX_LEN;
 
-	tmp_buf = (uint8_t *) ext_cap;
-	size = sizeof(*ext_cap);
-
-	for (i = 0; i < size; i++)
-		if (tmp_buf[i])
-			return true;
+	while (i) {
+		if (ext_cap->bytes[i-1])
+			break;
+		i--;
+	}
 
-	return false;
+	return i;
 }
 
 /**

core/mac/src/pe/lim/lim_utils.h

@@ -632,7 +632,7 @@ static inline void lim_deactivate_and_change_timer_host_roam(
 #endif
 
 bool lim_is_robust_mgmt_action_frame(uint8_t action_category);
-bool lim_is_ext_cap_ie_present (struct s_ext_cap *ext_cap);
+uint8_t lim_compute_ext_cap_ie_length(tDot11fIEExtCap *ext_cap);
 
 /**
  * lim_p2p_action_cnf() - callback to indicate Tx completion

core/mac/src/pe/sch/sch_api.c

@@ -330,7 +330,7 @@ uint32_t lim_send_probe_rsp_template_to_hal(tpAniSirGlobal pMac,
 	uint8_t *pFrame2Hal = psessionEntry->pSchProbeRspTemplate;
 	tpSendProbeRespParams pprobeRespParams = NULL;
 	uint32_t retCode = eSIR_FAILURE;
-	uint32_t nPayload, nBytes, nStatus;
+	uint32_t nPayload, nBytes = 0, nStatus;
 	tpSirMacMgmtHdr pMacHdr;
 	uint32_t addnIEPresent = false;
 	uint8_t *addIE = NULL;
@@ -343,22 +343,6 @@ uint32_t lim_send_probe_rsp_template_to_hal(tpAniSirGlobal pMac,
 	tSirRetStatus status;
 	uint16_t addn_ielen = 0;
 
-	nStatus = dot11f_get_packed_probe_response_size(pMac,
-			&psessionEntry->probeRespFrame, &nPayload);
-	if (DOT11F_FAILED(nStatus)) {
-		sch_log(pMac, LOGE, FL("Failed to calculate the packed size f"
-				       "or a Probe Response (0x%08x)."),
-			nStatus);
-		/* We'll fall back on the worst case scenario: */
-		nPayload = sizeof(tDot11fProbeResponse);
-	} else if (DOT11F_WARNED(nStatus)) {
-		sch_log(pMac, LOGE, FL("There were warnings while calculating"
-				       "the packed size for a Probe Response "
-				       "(0x%08x)."), nStatus);
-	}
-
-	nBytes = nPayload + sizeof(tSirMacMgmtHdr);
-
 	/* Check if probe response IE is present or not */
 	addnIEPresent = (psessionEntry->addIeParams.probeRespDataLen != 0);
 	if (addnIEPresent) {
@@ -421,6 +405,33 @@ uint32_t lim_send_probe_rsp_template_to_hal(tpAniSirGlobal pMac,
 		else
 			addnIEPresent = false;  /* Dont include the IE. */
 	}
+
+	/*
+	 * Extcap IE now support variable length, merge Extcap IE from addn_ie
+	 * may change the frame size. Therefore, MUST merge ExtCap IE before
+	 * dot11f get packed payload size.
+	 */
+	prb_rsp_frm = &psessionEntry->probeRespFrame;
+	if (extcap_present)
+		lim_merge_extcap_struct(&prb_rsp_frm->ExtCap,
+					&extracted_extcap);
+
+	nStatus = dot11f_get_packed_probe_response_size(pMac,
+			&psessionEntry->probeRespFrame, &nPayload);
+	if (DOT11F_FAILED(nStatus)) {
+		sch_log(pMac, LOGE,
+			FL("Failed to calculate the packed size for a Probe Response (0x%08x)."),
+			nStatus);
+		/* We'll fall back on the worst case scenario: */
+		nPayload = sizeof(tDot11fProbeResponse);
+	} else if (DOT11F_WARNED(nStatus)) {
+		sch_log(pMac, LOGE,
+			FL("There were warnings while calculating the packed size for a Probe Response (0x%08x)."),
+			nStatus);
+	}
+
+	nBytes += nPayload + sizeof(tSirMacMgmtHdr);
+
 	/* Paranoia: */
 	qdf_mem_set(pFrame2Hal, nBytes, 0);
 
@@ -434,12 +445,6 @@ uint32_t lim_send_probe_rsp_template_to_hal(tpAniSirGlobal pMac,
 
 	sir_copy_mac_addr(pMacHdr->bssId, psessionEntry->bssId);
 
-	/* merge extcap IE */
-	prb_rsp_frm = &psessionEntry->probeRespFrame;
-	if (extcap_present)
-		lim_merge_extcap_struct(&prb_rsp_frm->ExtCap,
-					&extracted_extcap);
-
 	/* That done, pack the Probe Response: */
 	nStatus =
 		dot11f_pack_probe_response(pMac, &psessionEntry->probeRespFrame,

core/mac/src/sys/legacy/src/utils/src/dot11f.c

@@ -33,7 +33,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Fri Jan  6 16:25:25 2017 from the following file(s):
+ * Mon Jan 23 14:07:41 2017 from the following file(s):
  *
  * dot11f.frms
  *
@@ -6271,7 +6271,7 @@ static const tIEDefn IES_AssocRequest[] = {
 	present), 0, "VHTCaps", 0, 14, 14, SigIeVHTCaps, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTCAPS, 0, },
 	{ offsetof(tDot11fAssocRequest, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fAssocRequest, OperatingMode),
 	offsetof(tDot11fIEOperatingMode, present), 0, "OperatingMode",
@@ -6399,7 +6399,7 @@ static const tIEDefn IES_AssocResponse[] = {
 	0, 7, 7, SigIeVHTOperation, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTOPERATION, 0, },
 	{ offsetof(tDot11fAssocResponse, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fAssocResponse, OBSSScanParameters),
 	offsetof(tDot11fIEOBSSScanParameters, present), 0, "OBSSScanParameters",
@@ -6622,7 +6622,7 @@ static const tIEDefn IES_Beacon[] = {
 	0, 7, 7, SigIeVHTExtBssLoad, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTEXTBSSLOAD, 0, },
 	{ offsetof(tDot11fBeacon, ExtCap), offsetof(tDot11fIEExtCap, present), 0,
-	"ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	"ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fBeacon, OperatingMode),
 	offsetof(tDot11fIEOperatingMode, present), 0, "OperatingMode",
@@ -6824,7 +6824,7 @@ static const tIEDefn IES_Beacon2[] = {
 	0, 7, 7, SigIeVHTExtBssLoad, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTEXTBSSLOAD, 0, },
 	{ offsetof(tDot11fBeacon2, ExtCap), offsetof(tDot11fIEExtCap, present), 0,
-	"ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	"ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fBeacon2, OperatingMode),
 	offsetof(tDot11fIEOperatingMode, present), 0, "OperatingMode",
@@ -7022,7 +7022,7 @@ static const tIEDefn IES_BeaconIEs[] = {
 	0, 7, 7, SigIeVHTExtBssLoad, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTEXTBSSLOAD, 0, },
 	{ offsetof(tDot11fBeaconIEs, ExtCap), offsetof(tDot11fIEExtCap, present),
-	0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fBeaconIEs, OperatingMode),
 	offsetof(tDot11fIEOperatingMode, present), 0, "OperatingMode",
@@ -7473,7 +7473,7 @@ static const tIEDefn IES_ProbeRequest[] = {
 	present), 0, "VHTCaps", 0, 14, 14, SigIeVHTCaps, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTCAPS, 0, },
 	{ offsetof(tDot11fProbeRequest, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{0, 0, 0, NULL, 0, 0, 0, 0, {0, 0, 0, 0, 0}, 0, 0xff, 0, },};
 
@@ -7639,7 +7639,7 @@ static const tIEDefn IES_ProbeResponse[] = {
 	0, 7, 7, SigIeVHTExtBssLoad, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTEXTBSSLOAD, 0, },
 	{ offsetof(tDot11fProbeResponse, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fProbeResponse, OBSSScanParameters),
 	offsetof(tDot11fIEOBSSScanParameters, present), 0, "OBSSScanParameters",
@@ -7897,7 +7897,7 @@ static const tIEDefn IES_ReAssocRequest[] = {
 	present), 0, "VHTCaps", 0, 14, 14, SigIeVHTCaps, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTCAPS, 0, },
 	{ offsetof(tDot11fReAssocRequest, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fReAssocRequest, OperatingMode),
 	offsetof(tDot11fIEOperatingMode, present), 0, "OperatingMode",
@@ -8031,7 +8031,7 @@ static const tIEDefn IES_ReAssocResponse[] = {
 	0, 7, 7, SigIeVHTOperation, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_VHTOPERATION, 0, },
 	{ offsetof(tDot11fReAssocResponse, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fReAssocResponse, OBSSScanParameters),
 	offsetof(tDot11fIEOBSSScanParameters, present), 0, "OBSSScanParameters",
@@ -8208,7 +8208,7 @@ static const tIEDefn IES_TDLSDisRsp[] = {
 	{ offsetof(tDot11fTDLSDisRsp, RSN), offsetof(tDot11fIERSN, present), 0,
 	"RSN", 0, 8, 116, SigIeRSN, {0, 0, 0, 0, 0}, 0, DOT11F_EID_RSN, 0, },
 	{ offsetof(tDot11fTDLSDisRsp, ExtCap), offsetof(tDot11fIEExtCap, present),
-	0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fTDLSDisRsp, FTInfo), offsetof(tDot11fIEFTInfo, present),
 	0, "FTInfo", 0, 84, 222, SigIeFTInfo, {0, 0, 0, 0, 0},
@@ -8414,7 +8414,7 @@ static const tIEDefn IES_TDLSSetupReq[] = {
 	{ offsetof(tDot11fTDLSSetupReq, RSN), offsetof(tDot11fIERSN, present), 0,
 	"RSN", 0, 8, 116, SigIeRSN, {0, 0, 0, 0, 0}, 0, DOT11F_EID_RSN, 0, },
 	{ offsetof(tDot11fTDLSSetupReq, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fTDLSSetupReq, SuppOperatingClasses),
 	offsetof(tDot11fIESuppOperatingClasses, present), 0,
@@ -8503,7 +8503,7 @@ static const tIEDefn IES_TDLSSetupRsp[] = {
 	{ offsetof(tDot11fTDLSSetupRsp, RSN), offsetof(tDot11fIERSN, present), 0,
 	"RSN", 0, 8, 116, SigIeRSN, {0, 0, 0, 0, 0}, 0, DOT11F_EID_RSN, 0, },
 	{ offsetof(tDot11fTDLSSetupRsp, ExtCap), offsetof(tDot11fIEExtCap,
-	present), 0, "ExtCap", 0, 10, 11, SigIeExtCap, {0, 0, 0, 0, 0},
+	present), 0, "ExtCap", 0, 3, 11, SigIeExtCap, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fTDLSSetupRsp, SuppOperatingClasses),
 	offsetof(tDot11fIESuppOperatingClasses, present), 0,
@@ -8682,7 +8682,7 @@ static const tIEDefn IES_TimingAdvertisementFrame[] = {
 	0, 18, 18, SigIeTimeAdvertisement, {0, 0, 0, 0, 0},
 	0, DOT11F_EID_TIMEADVERTISEMENT, 0, },
 	{ offsetof(tDot11fTimingAdvertisementFrame, ExtCap),
-	offsetof(tDot11fIEExtCap, present), 0, "ExtCap", 0, 10, 11, SigIeExtCap,
+	offsetof(tDot11fIEExtCap, present), 0, "ExtCap", 0, 3, 11, SigIeExtCap,
 	{0, 0, 0, 0, 0}, 0, DOT11F_EID_EXTCAP, 0, },
 	{ offsetof(tDot11fTimingAdvertisementFrame, Vendor1IE),
 	offsetof(tDot11fIEVendor1IE, present), 0, "Vendor1IE",

core/mac/src/sys/legacy/src/utils/src/parser_api.c

@@ -1258,6 +1258,10 @@ populate_dot11f_ext_cap(tpAniSirGlobal pMac,
 #endif
 	p_ext_cap->ext_chan_switch = 1;
 
+	/* Need to calulate the num_bytes based on bits set */
+	if (pDot11f->present)
+		pDot11f->num_bytes = lim_compute_ext_cap_ie_length(pDot11f);
+
 	return eSIR_SUCCESS;
 }
 
@@ -3244,6 +3248,7 @@ sir_beacon_ie_ese_bcn_report(tpAniSirGlobal pMac,
 		lim_log(pMac, LOGE, FL("Failed to allocate memory"));
 		return eSIR_MEM_ALLOC_FAILED;
 	}
+	qdf_mem_zero(pBies, sizeof(tDot11fBeaconIEs));
 	/* delegate to the framesc-generated code, */
 	status = dot11f_unpack_beacon_i_es(pMac, pPayload, nPayload, pBies);
 
@@ -3538,6 +3543,7 @@ sir_parse_beacon_ie(tpAniSirGlobal pMac,
 		lim_log(pMac, LOGE, FL("Failed to allocate memory"));
 		return eSIR_MEM_ALLOC_FAILED;
 	}
+	qdf_mem_zero(pBies, sizeof(tDot11fBeaconIEs));
 	/* delegate to the framesc-generated code, */
 	status = dot11f_unpack_beacon_i_es(pMac, pPayload, nPayload, pBies);