From ccd1bed7886ba48bd48dca1fb2464261bad9523e Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Wed, 27 Jun 2018 11:26:53 +0530 Subject: [PATCH] qcacld-3.0: Fix OOB write in lim_populate_peer_rate_set To poiulate peer rates (Supproted rates, HT & VHT Capabilities) lim_populate_peer_rate_set first copy values of psessionEntry->rateSet.rate in a local buffer tempRateSet for sorting of rates. Currently while copying, index for psessionEntry->rateSet.rate bufffer varies from 0 to max rate allowed SIR_MAC_RATESET_EID_MAX(12). This results access of 13th index(OOB) of psessionEntry->rateSet.rate buffer. The fix is to set proper upper bound to copy values of psessionEntry->rateSet.rate in to a local buffer tempRateSet. Change-Id: I75d5f5b5e7d44665101dae6e095b4adadc1781fb CRs-Fixed: 2268610 --- core/mac/src/pe/lim/lim_assoc_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mac/src/pe/lim/lim_assoc_utils.c b/core/mac/src/pe/lim/lim_assoc_utils.c index ebd7de9c4b..9a189c10cb 100644 --- a/core/mac/src/pe/lim/lim_assoc_utils.c +++ b/core/mac/src/pe/lim/lim_assoc_utils.c @@ -1691,7 +1691,7 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac, } } else tempRateSet2.numRates = 0; - if ((tempRateSet.numRates + tempRateSet2.numRates) > + if ((tempRateSet.numRates + tempRateSet2.numRates) >= SIR_MAC_RATESET_EID_MAX) { pe_err("more than 12 rates in CFG"); return QDF_STATUS_E_FAILURE;