@@ -397,6 +397,8 @@ static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
#ifdef CONFIG_IEEE80211AX
if (hapd->iconf->ieee80211ax) {
buflen += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
3 + sizeof(struct ieee80211_he_operation) +
3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
3 + sizeof(struct ieee80211_spatial_reuse);
@@ -1089,6 +1091,8 @@ int ieee802_11_build_ap_params(struct hostapd_data *hapd,
#ifdef CONFIG_IEEE80211AX
if (hapd->iconf->ieee80211ax) {
tail_len += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
3 + sizeof(struct ieee80211_he_operation) +
3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
3 + sizeof(struct ieee80211_spatial_reuse);
@@ -323,9 +323,12 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
enum ieee80211_op_mode opmode, const u8 *he_capab,
size_t he_capab_len)
{
+size_t he_capab_max_len = sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE;
if (!he_capab || !hapd->iconf->ieee80211ax ||
!check_valid_he_mcs(hapd, he_capab, opmode) ||
- he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
+ he_capab_len > he_capab_max_len) {
sta->flags &= ~WLAN_STA_HE;
os_free(sta->he_capab);
sta->he_capab = NULL;
@@ -333,14 +336,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
}
if (!sta->he_capab) {
-sta->he_capab =
-os_zalloc(sizeof(struct ieee80211_he_capabilities));
+sta->he_capab =os_zalloc(he_capab_len);
if (!sta->he_capab)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
sta->flags |= WLAN_STA_HE;
-os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
+os_memset(sta->he_capab, 0, he_capab_len);
os_memcpy(sta->he_capab, he_capab, he_capab_len);
sta->he_capab_len = he_capab_len;