An addba response always ends with the timeout field. The length of the addba response is the offset of the end of the timeout field in the struct ieee80211_mgmt that defines the message. Use offsetofend to calculate this offset and drop the intermediate pktlen increments as we add addba response components. Signed-off-by: Martin Kaiser <martin@xxxxxxxxx> --- drivers/staging/r8188eu/core/rtw_mlme_ext.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/staging/r8188eu/core/rtw_mlme_ext.c b/drivers/staging/r8188eu/core/rtw_mlme_ext.c index b391273969af..2a13546e585c 100644 --- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c +++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c @@ -5441,18 +5441,14 @@ void issue_action_BA(struct adapter *padapter, unsigned char *raddr, unsigned ch break; case WLAN_ACTION_ADDBA_RESP: mgmt->u.action.u.addba_resp.action_code = WLAN_ACTION_ADDBA_RESP; - pattrib->pktlen++; mgmt->u.action.u.addba_resp.dialog_token = pmlmeinfo->ADDBA_req.dialog_token; - pattrib->pktlen++; mgmt->u.action.u.addba_resp.status = cpu_to_le16(status); - pattrib->pktlen += 2; capab = le16_to_cpu(pmlmeinfo->ADDBA_req.BA_para_set) & 0x3f; capab |= u16_encode_bits(64, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK); capab |= u16_encode_bits(pregpriv->ampdu_amsdu, IEEE80211_ADDBA_PARAM_AMSDU_MASK); mgmt->u.action.u.addba_req.capab = cpu_to_le16(capab); - pattrib->pktlen += 2; mgmt->u.action.u.addba_resp.timeout = pmlmeinfo->ADDBA_req.BA_timeout_value; - pattrib->pktlen += 2; + pattrib->pktlen = offsetofend(struct ieee80211_mgmt, u.action.u.addba_resp.timeout); break; case WLAN_ACTION_DELBA: mgmt->u.action.u.delba.action_code = WLAN_ACTION_DELBA; -- 2.30.2
