wlan: check BcnNumIes against size of header instead of 0 Currently, for while loop BcnNumIes is checked against 0 which may cause OOB read for len = *(pBcnIes + 1). Fix is to check BcnNumIes against size of header i.e 2 instead of 0 to avoid 00B read. Change-Id: Id167410da790e449d36853d8505142e1b218e9b8 CRs-Fixed: 2635666

commit: bf883a9fd73062322e61435edcf886af68fd24ad [log] [tgz]
author: sheenam monga <shebala@codeaurora.org> Wed Mar 11 15:34:39 2020 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Wed Apr 22 00:37:55 2020 -0700
tree: f1787e0d912a80ce1a5ea628cf8ba0a43191466d
parent: 517d0f930bd1fbc39021df604865cfe8d90c06e7 [diff]
diff --git a/CORE/MAC/src/pe/rrm/rrmApi.c b/CORE/MAC/src/pe/rrm/rrmApi.c
index d43dc9c..ae5c5d7 100644
--- a/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/CORE/MAC/src/pe/rrm/rrmApi.c

@@ -704,7 +704,7 @@
    *((tANI_U16*)pIes) = pBssDesc->capabilityInfo;
    *pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);
 
-   while ( BcnNumIes > 0 )
+   while ( BcnNumIes >= 2 )
    {
       len = *(pBcnIes + 1); //element id + length.
       len += 2;
commit	bf883a9fd73062322e61435edcf886af68fd24ad	[log] [tgz]
author	sheenam monga <shebala@codeaurora.org>	Wed Mar 11 15:34:39 2020 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Wed Apr 22 00:37:55 2020 -0700
tree	f1787e0d912a80ce1a5ea628cf8ba0a43191466d
parent	517d0f930bd1fbc39021df604865cfe8d90c06e7 [diff]