mirror of
https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
synced 2024-09-21 03:43:03 +00:00
qcacld-2.0: Fix out of bounds bug in limProcessMessages
uMacPostCtrlMsg allocates memory of size tSirSmeScanAbortReq for tSirMbMsg structure for scan abort msg that is posted to mc thread. In limProcessMessages, we typecast the bodyptr to tSirMbMsg and use data variable which results in slab out of bounds bug. Fix is to typecast the bodyptr to tSirSmeScanAbortReq in limProcessMessages. Change-Id: Iabeeabcba64ccc30895f57cbe40d969f1a9e6dca CRs-Fixed: 2031160 Bug: 37082991 Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
This commit is contained in:
parent
50b57345ec
commit
20d177f49f
|
@ -1366,12 +1366,10 @@ limProcessMessages(tpAniSirGlobal pMac, tpSirMsgQ limMsg)
|
|||
|
||||
case eWNI_SME_SCAN_ABORT_IND:
|
||||
{
|
||||
tSirMbMsg *pMsg = limMsg->bodyptr;
|
||||
tANI_U8 sessionId;
|
||||
tSirSmeScanAbortReq *pMsg = (tSirSmeScanAbortReq *) limMsg->bodyptr;
|
||||
if (pMsg)
|
||||
{
|
||||
sessionId = (tANI_U8) pMsg->data[0];
|
||||
limProcessAbortScanInd(pMac, sessionId);
|
||||
limProcessAbortScanInd(pMac, pMsg->sessionId);
|
||||
vos_mem_free((v_VOID_t *)limMsg->bodyptr);
|
||||
limMsg->bodyptr = NULL;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue