wlan: check BcnNumIes against size of header instead of 0
Currently, for while loop BcnNumIes is checked against 0
which may cause OOB read for len = *(pBcnIes + 1).
Fix is to check BcnNumIes against size of header i.e 2 instead
of 0 to avoid 00B read.
Change-Id: Id167410da790e449d36853d8505142e1b218e9b8
CRs-Fixed: 2635666
diff --git a/CORE/MAC/src/pe/rrm/rrmApi.c b/CORE/MAC/src/pe/rrm/rrmApi.c
index d43dc9c..ae5c5d7 100644
--- a/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -704,7 +704,7 @@
*((tANI_U16*)pIes) = pBssDesc->capabilityInfo;
*pNumIes+=sizeof(tANI_U16); pIes+=sizeof(tANI_U16);
- while ( BcnNumIes > 0 )
+ while ( BcnNumIes >= 2 )
{
len = *(pBcnIes + 1); //element id + length.
len += 2;