|
|
@@ -2788,6 +2788,10 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx,
|
|
|
return QDF_STATUS_E_FAILURE;
|
|
|
}
|
|
|
|
|
|
+ if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN - EXT_CAP_IE_HDR_LEN)) {
|
|
|
+ pe_err("Invalid Scan IE length");
|
|
|
+ return QDF_STATUS_E_FAILURE;
|
|
|
+ }
|
|
|
/* copy ie prior to ext cap to local buffer */
|
|
|
qdf_mem_copy(local_ie_buf, ie_data, (*local_ie_len));
|
|
|
|
|
|
@@ -2804,6 +2808,12 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx,
|
|
|
pe_err("Failed %d to create ext cap IE. Use default value instead",
|
|
|
status);
|
|
|
local_ie_buf[*local_ie_len + 1] = DOT11F_IE_EXTCAP_MAX_LEN;
|
|
|
+
|
|
|
+ if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN -
|
|
|
+ (DOT11F_IE_EXTCAP_MAX_LEN + EXT_CAP_IE_HDR_LEN))) {
|
|
|
+ pe_err("Invalid Scan IE length");
|
|
|
+ return QDF_STATUS_E_FAILURE;
|
|
|
+ }
|
|
|
(*local_ie_len) += EXT_CAP_IE_HDR_LEN;
|
|
|
qdf_mem_copy(local_ie_buf + (*local_ie_len),
|
|
|
default_scan_ext_cap.bytes,
|
|
|
@@ -2813,6 +2823,12 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx,
|
|
|
}
|
|
|
lim_merge_extcap_struct(&driver_ext_cap, &default_scan_ext_cap, true);
|
|
|
local_ie_buf[*local_ie_len + 1] = driver_ext_cap.num_bytes;
|
|
|
+
|
|
|
+ if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN -
|
|
|
+ (EXT_CAP_IE_HDR_LEN + driver_ext_cap.num_bytes))) {
|
|
|
+ pe_err("Invalid Scan IE length");
|
|
|
+ return QDF_STATUS_E_FAILURE;
|
|
|
+ }
|
|
|
(*local_ie_len) += EXT_CAP_IE_HDR_LEN;
|
|
|
qdf_mem_copy(local_ie_buf + (*local_ie_len),
|
|
|
driver_ext_cap.bytes, driver_ext_cap.num_bytes);
|
Pragaspathi Thilagaraj