samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix possible integer overflow in lim

Browse Source 
In the function lim_process_sme_update_access_policy_vendor_ie,
update_vendor_ie is parsed from the incomming msg. num_bytes is
the length of the IE and is retrived as
update_vendor_ie->ie[1]+2. This num_bytes value is used as the
size to copy the IE to pe_session_entry->access_policy_vendor_ie
The update_vendor_ie->ie[1] can have a maximum value of
SIR_MAC_MAX_IE_LENGTH . As the num_bytes is of uint8_t,a
possible integer overflow can occur in
lim_process_sme_update_access_policy_vendor_ie when num_bytes is
assigned with update_vendor_ie->ie[1].

Change the data type of the num_bytes to uint16_t so that it can
hold the value of update_vendor_ie->ie[1] without truncation.

Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97
CRs-Fixed: 2235044
This commit is contained in:
Pragaspathi Thilagaraj
2018-05-07 16:28:13 +05:30
committed by nshrivas
parent 7494819d8f
commit 9b7a116a9a
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/mac/src/pe/lim/lim_process_sme_req_messages.c
View File

@@ -4466,7 +4466,7 @@ static void lim_process_sme_update_access_policy_vendor_ie(
{ {
struct sme_update_access_policy_vendor_ie *update_vendor_ie; struct sme_update_access_policy_vendor_ie *update_vendor_ie;
struct sPESession *pe_session_entry; struct sPESession *pe_session_entry;
uint8_t num_bytes; uint16_t num_bytes;
if (!msg) { if (!msg) {
pe_err("Buffer is Pointing to NULL"); pe_err("Buffer is Pointing to NULL");