Check max number of TBTT info when adding Neighbor AP Information field

If the number of TBTT info is greater than RNR_TBTT_INFO_COUNT_MAX, the
new Neighbor AP Information field would need to be added in the RNR
element. However, the condition of adding Neighbor AP Information field
does not consider number of TBTT info. That would cause invalid Neighbor
AP Information field (the while loop will fill data by eid pointer) when
setting RNR element.

Signed-off-by: Allen.Ye <allen.ye@mediatek.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index a5e5e875c5016babcc621b2bb464c2edbfc56906..678925c7f837c8d4cca8adf43e2882d2aa5c4731 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7175,9 +7175,11 @@ hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
 
        while (start < hapd->iface->num_bss) {
                if (!len ||
-                   len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+                   len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+                   tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
                        len = RNR_HEADER_LEN;
                        total_len += RNR_HEADER_LEN;
+                       tbtt_count = 0;
                }
 
                len += RNR_TBTT_HEADER_LEN;
@@ -7422,7 +7424,8 @@ static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
 
        while (start < iface->num_bss) {
                if (!len ||
-                   len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+                   len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+                   tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
                        eid_start = eid;
                        *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
                        size_offset = eid++;