mwifiex: fix struct member mismatch

Using bss->information_elements and treating
bss->len_beacon_ies as its size is wrong, the
real size is len_information_elements.

Found while I was reviewing the use of this
cfg80211 API (as it is actually potentially
broken due to races.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Paul Stewart <pstew@chromium.org>
BUG=None
TEST=Boot, associate

Change-Id: I52a58aaa3b7abf66f032e9f1f4ce5248fdb60c89
Reviewed-on: https://gerrit.chromium.org/gerrit/38846
Reviewed-by: Bing Zhao <bzhao@marvell.com>
Reviewed-by: mukesh agrawal <quiche@chromium.org>
Commit-Ready: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index cad27cd..fb22b4c 100644 (file)
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -161,8 +161,9 @@ int mwifiex_fill_new_bss_desc(struct mwifiex_private *priv,
        int ret;
        u8 *beacon_ie;
        struct mwifiex_bss_priv *bss_priv = (void *)bss->priv;
+       size_t beacon_ie_len = bss->len_information_elements;
 
-       beacon_ie = kmemdup(bss->information_elements, bss->len_beacon_ies,
+       beacon_ie = kmemdup(bss->information_elements, beacon_ie_len,
                            GFP_KERNEL);
        if (!beacon_ie) {
                dev_err(priv->adapter->dev, " failed to alloc beacon_ie\n");
@@ -172,7 +173,7 @@ int mwifiex_fill_new_bss_desc(struct mwifiex_private *priv,
        memcpy(bss_desc->mac_address, bss->bssid, ETH_ALEN);
        bss_desc->rssi = bss->signal;
        bss_desc->beacon_buf = beacon_ie;
-       bss_desc->beacon_buf_size = bss->len_beacon_ies;
+       bss_desc->beacon_buf_size = beacon_ie_len;
        bss_desc->beacon_period = bss->beacon_interval;
        bss_desc->cap_info_bitmap = bss->capability;
        bss_desc->bss_band = bss_priv->band;