From 81f058cf6a05d6ba047f80d0bcb4f7a143d3f999 Mon Sep 17 00:00:00 2001 From: Naveen Rawat Date: Fri, 2 Jun 2017 16:02:39 -0700 Subject: [PATCH] qcacld-3.0: Fix IE length in function sme_get_beacon_frm Fix IE length in function sme_get_beacon_frm. Change-Id: Iaec7f14e0e2c9078037fbbb586d9d0ac64b4e0de CRs-Fixed: 2055891 --- core/sme/src/common/sme_api.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c index 7b7c6a63d9..e4b4c7b5b6 100644 --- a/core/sme/src/common/sme_api.c +++ b/core/sme/src/common/sme_api.c @@ -15975,12 +15975,19 @@ QDF_STATUS sme_get_beacon_frm(tHalHandle hal, tCsrRoamProfile *profile, goto free_scan_flter; } - /* - * bss_descp->length = sizeof(tSirBssDescription) - sizeof(length_field) - * - sizeof(ieFields) + ie_len; + /** + * Length of BSS descriptor is without length of + * length itself and length of pointer that holds ieFields. + * + * tSirBssDescription + * +--------+---------------------------------+---------------+ + * | length | other fields | pointer to IEs| + * +--------+---------------------------------+---------------+ + * ^ + * ieFields */ - ie_len = bss_descp->length - sizeof(tSirBssDescription) - + sizeof(bss_descp->length) + sizeof(bss_descp->ieFields); + ie_len = bss_descp->length + sizeof(bss_descp->length) + - (uint16_t)(offsetof(tSirBssDescription, ieFields[0])); sme_debug("found bss_descriptor ie_len: %d channel %d", ie_len, bss_descp->channelId);