From a06b8ce48400ee4b91a64306584ce8de486dd2bb Mon Sep 17 00:00:00 2001 From: bings Date: Mon, 2 Dec 2019 17:02:03 +0800 Subject: [PATCH] qcacld-3.0: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin psessionEntry->pSchBeaconFrameBegin is allocated with fix length SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding psessionEntry->pSchBeaconFrameBegin. Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8 CRs-Fixed: 2577689 --- core/mac/src/pe/sch/sch_beacon_gen.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/mac/src/pe/sch/sch_beacon_gen.c b/core/mac/src/pe/sch/sch_beacon_gen.c index df3023b200..87a1c304d0 100644 --- a/core/mac/src/pe/sch/sch_beacon_gen.c +++ b/core/mac/src/pe/sch/sch_beacon_gen.c @@ -933,6 +933,12 @@ static QDF_STATUS write_beacon_to_memory(struct mac_context *mac, uint16_t size, /* copy end of beacon only if length > 0 */ if (length > 0) { + if (size + pe_session->schBeaconOffsetEnd > + SIR_MAX_BEACON_SIZE) { + pe_err("beacon tmp fail size %d BeaconOffsetEnd %d", + size, pe_session->schBeaconOffsetEnd); + return QDF_STATUS_E_FAILURE; + } for (i = 0; i < pe_session->schBeaconOffsetEnd; i++) pe_session->pSchBeaconFrameBegin[size++] = pe_session->pSchBeaconFrameEnd[i];