qcacld-3.0: Exclude length field size from max beacon payload size

Don't account length field size while comparing against max beacon size. Current driver starts from (ptr+4 bytes) then tries to copy 512 bytes from that point which creates to copy extra 4 bytes beyond the array's boundary. Instead copy only 508 bytes if driver starts copying from (ptr+ 4bytes). ptr ^ | | +---------------+--------------------------------+ | | | | Length | Max Beacon payload | | | | +---------------+--------------------------------+ |<-- 4 bytes -->|<-------- 508 bytes ----------->| |<------------- 512 bytes --------------------->| CRs-Fixed: 2327052 Change-Id: I2646986ec424f7da31107ad01f673588734eaa52
2018-10-03 11:48:27 -07:00 · 2018-10-03 11:48:27 -07:00 · 2f5e3dd670
commit 2f5e3dd670
parent ac580f44fa
1 changed files with 3 additions and 3 deletions
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@ -2652,9 +2652,9 @@ static QDF_STATUS wma_store_bcn_tmpl(tp_wma_handle wma, uint8_t vdev_id,
 	}

 	len = *(u32 *) &bcn_info->beacon[0];
-	if (len > SIR_MAX_BEACON_SIZE) {
-		WMA_LOGE("%s: Received beacon len %d exceeding max limit %d",
-			 __func__, len, SIR_MAX_BEACON_SIZE);
+	if (len > SIR_MAX_BEACON_SIZE - sizeof(uint32_t)) {
+		WMA_LOGE("%s: Received beacon len %u exceeding max limit %lu",
+			 __func__, len, SIR_MAX_BEACON_SIZE - sizeof(uint32_t));
 		return QDF_STATUS_E_INVAL;
 	}
 	WMA_LOGD("%s: Storing received beacon template buf to local buffer",