From 54aa6208141a3c274de260d436a5f33852d8acc6 Mon Sep 17 00:00:00 2001 From: Abhishek Singh Date: Thu, 6 Jul 2017 11:25:15 +0530 Subject: [PATCH] qcacmn: Fix memory overflow in wmi roam scan filter cmd The length of buffer used to send wmi roam scan filter cmd is not properly calculated and thus the length is less than the actual data to be copied. Fix it by properly calculating the length of the buffer. Change-Id: I6a3baa5ca5560d2d04f9bd41a709a37abc1b95a9 CRs-Fixed: 2072057 --- wmi_unified_tlv.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c index 7800f5c284..fa3c8a4654 100644 --- a/wmi_unified_tlv.c +++ b/wmi_unified_tlv.c @@ -5885,8 +5885,21 @@ static QDF_STATUS send_roam_scan_filter_cmd_tlv(wmi_unified_t wmi_handle, wmi_roam_lca_disallow_config_tlv_param *blist_param; len = sizeof(wmi_roam_filter_fixed_param); + len += WMI_TLV_HDR_SIZE; - len += roam_req->len; + if (roam_req->num_bssid_black_list) + len += roam_req->num_bssid_black_list * sizeof(wmi_mac_addr); + len += WMI_TLV_HDR_SIZE; + if (roam_req->num_ssid_white_list) + len += roam_req->num_ssid_white_list * sizeof(wmi_ssid); + len += 2 * WMI_TLV_HDR_SIZE; + if (roam_req->num_bssid_preferred_list) { + len += roam_req->num_bssid_preferred_list * sizeof(wmi_mac_addr); + len += roam_req->num_bssid_preferred_list * sizeof(A_UINT32); + } + if (roam_req->lca_disallow_config_present) + len += WMI_TLV_HDR_SIZE + + sizeof(wmi_roam_lca_disallow_config_tlv_param); buf = wmi_buf_alloc(wmi_handle, len); if (!buf) {