diff mbox series

Add handle number of tbtt when add Neighbor AP Information field

Message ID 20231102115311.4922-1-Allen.Ye@mediatek.com
State Accepted
Headers show
Series Add handle number of tbtt when add Neighbor AP Information field | expand

Commit Message

Allen Ye Nov. 2, 2023, 11:53 a.m. UTC 
From: "Allen.Ye" <allen.ye@mediatek.com>

If number of tbtt is greater than RNR_TBTT_INFO_COUNT_MAX, the new
Neighbor AP Information field would need to be added in the rnr ie.
However, the condition of adding Neighbor AP Information field don't
consider number of tbtt.
That would cause invalid Neighbor AP Information field (the while
loop will fill data by eid pointer) when setting rnr ie.

Signed-off-by: Allen.Ye <allen.ye@mediatek.com>
---
 src/ap/ieee802_11.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Jouni Malinen Nov. 2, 2023, 2:48 p.m. UTC | #1 
On Thu, Nov 02, 2023 at 07:53:11PM +0800, Allen Ye wrote:
> If number of tbtt is greater than RNR_TBTT_INFO_COUNT_MAX, the new
> Neighbor AP Information field would need to be added in the rnr ie.
> However, the condition of adding Neighbor AP Information field don't
> consider number of tbtt.
> That would cause invalid Neighbor AP Information field (the while
> loop will fill data by eid pointer) when setting rnr ie.

Thanks, applied.
diff mbox series

Patch

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 53256c01c..c49690832 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7175,9 +7175,11 @@  hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
 
 	while (start < hapd->iface->num_bss) {
 		if (!len ||
-		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+		    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
 			len = RNR_HEADER_LEN;
 			total_len += RNR_HEADER_LEN;
+			tbtt_count = 0;
 		}
 
 		len += RNR_TBTT_HEADER_LEN;
@@ -7422,7 +7424,8 @@  static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
 
 	while (start < iface->num_bss) {
 		if (!len ||
-		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+		    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
 			eid_start = eid;
 			*eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
 			size_offset = eid++;