From: Allen.Ye <allen.ye@mediatek.com>
Date: Thu, 2 Nov 2023 11:53:11 +0000 (+0800)
Subject: Check max number of TBTT info when adding Neighbor AP Information field
X-Git-Tag: hostap_2_11~879
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f2c41e318f94285f072c88ea09b5f54dc79baf7;p=thirdparty%2Fhostap.git

Check max number of TBTT info when adding Neighbor AP Information field

If the number of TBTT info is greater than RNR_TBTT_INFO_COUNT_MAX, the
new Neighbor AP Information field would need to be added in the RNR
element. However, the condition of adding Neighbor AP Information field
does not consider number of TBTT info. That would cause invalid Neighbor
AP Information field (the while loop will fill data by eid pointer) when
setting RNR element.

Signed-off-by: Allen.Ye <allen.ye@mediatek.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index a5e5e875c..678925c7f 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7175,9 +7175,11 @@ hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
 
 	while (start < hapd->iface->num_bss) {
 		if (!len ||
-		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+		    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
 			len = RNR_HEADER_LEN;
 			total_len += RNR_HEADER_LEN;
+			tbtt_count = 0;
 		}
 
 		len += RNR_TBTT_HEADER_LEN;
@@ -7422,7 +7424,8 @@ static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
 
 	while (start < iface->num_bss) {
 		if (!len ||
-		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
+		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255 ||
+		    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
 			eid_start = eid;
 			*eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
 			size_offset = eid++;