samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin

Browse Source 
psessionEntry->pSchBeaconFrameBegin is allocated with fix length
SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding
psessionEntry->pSchBeaconFrameBegin.

Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8
CRs-Fixed: 2577689
This commit is contained in:
bings
2019-12-02 17:02:03 +08:00
committed by nshrivas
parent eebaeb7e0b
commit a06b8ce484
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/mac/src/pe/sch/sch_beacon_gen.c
View File

@@ -933,6 +933,12 @@ static QDF_STATUS write_beacon_to_memory(struct mac_context *mac, uint16_t size,
/* copy end of beacon only if length > 0 */ /* copy end of beacon only if length > 0 */
if (length > 0) { if (length > 0) {
if (size + pe_session->schBeaconOffsetEnd >
SIR_MAX_BEACON_SIZE) {
pe_err("beacon tmp fail size %d BeaconOffsetEnd %d",
size, pe_session->schBeaconOffsetEnd);
return QDF_STATUS_E_FAILURE;
}
for (i = 0; i < pe_session->schBeaconOffsetEnd; i++) for (i = 0; i < pe_session->schBeaconOffsetEnd; i++)
pe_session->pSchBeaconFrameBegin[size++] = pe_session->pSchBeaconFrameBegin[size++] =
pe_session->pSchBeaconFrameEnd[i]; pe_session->pSchBeaconFrameEnd[i];