mwifiex: vendor_ie length check for parse WMM IEs
authorKarthik D A <karthida@marvell.com>
Wed, 28 Sep 2016 12:48:24 +0000 (18:18 +0530)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 9 Nov 2016 01:33:26 +0000 (03:33 +0200)
While copying the vendor_ie obtained from the cfg80211_find_vendor_ie()
to the struct mwifiex_types_wmm_info, length/size was inappropriate.
This patch corrects the required length needed to the
mwifiex_types_wmm_info

Signed-off-by: Karthik D A <karthida@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/marvell/mwifiex/uap_cmd.c

index a7e9f544f219d717a13ed29de537383c312c2573..35d8636bdb91d14c50b70e72c32e7ab0e10be3c0 100644 (file)
@@ -404,7 +404,7 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
                       struct cfg80211_ap_settings *params)
 {
        const u8 *vendor_ie;
-       struct ieee_types_header *wmm_ie;
+       const u8 *wmm_ie;
        u8 wmm_oui[] = {0x00, 0x50, 0xf2, 0x02};
 
        vendor_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
@@ -412,9 +412,9 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
                                            params->beacon.tail,
                                            params->beacon.tail_len);
        if (vendor_ie) {
-               wmm_ie = (struct ieee_types_header *)vendor_ie;
-               memcpy(&bss_cfg->wmm_info, wmm_ie + 1,
-                      sizeof(bss_cfg->wmm_info));
+               wmm_ie = vendor_ie;
+               memcpy(&bss_cfg->wmm_info, wmm_ie +
+                      sizeof(struct ieee_types_header), *(wmm_ie + 1));
                priv->wmm_enabled = 1;
        } else {
                memset(&bss_cfg->wmm_info, 0, sizeof(bss_cfg->wmm_info));