Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

wlan: Fix possible buffer overflow in sirConvertAddtsRsp2Struct

Browse source 
In the function sirConvertAddtsRsp2Struct, iterator j is
assigned with the value pAddTs->numTclas + addts.num_WMMTCLAS.
The j value is used as the index to the array pAddTs->tclasInfo.
Maximum limit on  pAddTs->tclasInfo entries is 2. So when the
value of j exceeds 2, then a possible buffer overflow could
occur.

Validate the value of j against SIR_MAC_TCLASIE_MAXNUM(2).

Change-Id: Icc723380ed4ccd51c729194d509e288be0e0712c
CRs-Fixed: 2449899
This commit is contained in:
lifeng 2019-03-20 18:05:26 +08:00 committed by Nolen Johnson
parent 4b5cf10b21
commit 653a991df0
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/staging/prima/CORE/SYS/legacy/src/utils/src/parserApi.c
View file

@ -3263,7 +3263,7 @@ sirConvertAddtsReq2Struct(tpAniSirGlobal pMac,
if ( addts.num_WMMTCLAS )
{
j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS);
if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM;
if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM;
for ( i = pAddTs->numTclas; i < j; ++i )
{
@ -3445,7 +3445,7 @@ sirConvertAddtsRsp2Struct(tpAniSirGlobal pMac,
if ( addts.num_WMMTCLAS )
{
j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS);
if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM;
if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM;
for ( i = pAddTs->numTclas; i < j; ++i )
{