Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

wlan: Add bound check before writing to channel list

Browse source 
qcacld-3.0 to prima propagation

In function rrmProcessBeaconReportReq, add bound check before
writing to channel list which is of fixed size.

Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2072774
Fix CVE-2017-11014

Change-Id: Ie5ec655f449093b8b5042a398d94b8342df60e3e
This commit is contained in:
google 2017-11-12 20:23:57 -08:00 committed by Nolen Johnson
parent e45a21534d
commit 1c9eae999d
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
drivers/staging/prima/CORE/MAC/src/pe/rrm/rrmApi.c
View file

@ -632,14 +632,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac,
pSmeBcnReportReq->channelList.numChannels = num_channels;
if( pBeaconReq->measurement_request.Beacon.num_APChannelReport )
{
tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber;
tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber;
uint8_t len;
uint16_t ch_ctr = 0;
for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ )
{
palCopyMemory( pMac->hHdd, pChanList,
pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList,
pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList );
len = pBeaconReq->measurement_request.Beacon.
APChannelReport[num_APChanReport].num_channelList;
if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber))
break;
pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList;
palCopyMemory( pMac->hHdd, &ch_lst[ch_ctr],
pBeaconReq->measurement_request.Beacon.
APChannelReport[num_APChanReport].channelList, len);
ch_ctr += len;
}
}