From 90213394b7efb28fa511b2eaebc1343ae3b54724 Mon Sep 17 00:00:00 2001 From: Sreelakshmi Konamki Date: Wed, 21 Sep 2016 15:17:42 +0530 Subject: qcacld-2.0: Update correct msg length in oemData_SendMBOemDataReq API In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq' is updated with more memory than allocated to the structure. Fix is to update messageLen with size of struct. Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0 CRs-Fixed: 1069175 --- CORE/SME/src/oemData/oemDataApi.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c index 3e42350..fc3f91c 100644 --- a/CORE/SME/src/oemData/oemDataApi.c +++ b/CORE/SME/src/oemData/oemDataApi.c @@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe { eHalStatus status = eHAL_STATUS_SUCCESS; tSirOemDataReq* pMsg; - tANI_U16 msgLen; tCsrRoamSession *pSession; smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__); @@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe return eHAL_STATUS_FAILURE; } - msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len); pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ); - pMsg->messageLen = pal_cpu_to_be16(msgLen); + pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg)); vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) ); pMsg->data_len = pOemDataReq->data_len; /* Incoming buffer ptr saved, set to null to avoid free by caller */ -- cgit v1.1