qcacmn: Avoid possible buffer overflow

In function tdls_ct_sampling_tx_rx, memcpy of unknown length buffer is done into fixed size struct array. Mem copying without checking length can lead to buffer overflow. Change-Id: I0608bd69d71ff1901f82b44d045963e9d383e6ce CRs-Fixed: 2269276
2018-06-28 11:13:25 +05:30
parent 1a3151ed20
commit 9bf4f33852
1 changed files with 2 additions and 1 deletions
--- a/umac/tdls/core/src/wlan_tdls_ct.c
+++ b/umac/tdls/core/src/wlan_tdls_ct.c
@@ -223,7 +223,8 @@ static void tdls_ct_sampling_tx_rx(struct tdls_vdev_priv_obj *tdls_vdev,
 		return;
 	}

-	mac_entries = tdls_vdev->valid_mac_entries;
+	mac_entries = QDF_MIN(tdls_vdev->valid_mac_entries,
+			      WLAN_TDLS_CT_TABLE_SIZE);

 	qdf_mem_copy(mac_table, tdls_vdev->ct_peer_table,
 	       (sizeof(struct tdls_conn_tracker_mac_table)) * mac_entries);