From 9b7a116a9a54b468853ee06c1270803a84c6189f Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Mon, 7 May 2018 16:28:13 +0530 Subject: [PATCH] qcacld-3.0: Fix possible integer overflow in lim In the function lim_process_sme_update_access_policy_vendor_ie, update_vendor_ie is parsed from the incomming msg. num_bytes is the length of the IE and is retrived as update_vendor_ie->ie[1]+2. This num_bytes value is used as the size to copy the IE to pe_session_entry->access_policy_vendor_ie The update_vendor_ie->ie[1] can have a maximum value of SIR_MAC_MAX_IE_LENGTH . As the num_bytes is of uint8_t,a possible integer overflow can occur in lim_process_sme_update_access_policy_vendor_ie when num_bytes is assigned with update_vendor_ie->ie[1]. Change the data type of the num_bytes to uint16_t so that it can hold the value of update_vendor_ie->ie[1] without truncation. Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97 CRs-Fixed: 2235044 --- core/mac/src/pe/lim/lim_process_sme_req_messages.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c index 772d6e8d0f..b9f76b05a6 100644 --- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c +++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c @@ -4466,7 +4466,7 @@ static void lim_process_sme_update_access_policy_vendor_ie( { struct sme_update_access_policy_vendor_ie *update_vendor_ie; struct sPESession *pe_session_entry; - uint8_t num_bytes; + uint16_t num_bytes; if (!msg) { pe_err("Buffer is Pointing to NULL");