From 20d177f49f49eccd9d8b8c0d937d7f1607953dcc Mon Sep 17 00:00:00 2001 From: Srinivas Girigowda Date: Mon, 10 Apr 2017 00:33:48 -0700 Subject: [PATCH] qcacld-2.0: Fix out of bounds bug in limProcessMessages uMacPostCtrlMsg allocates memory of size tSirSmeScanAbortReq for tSirMbMsg structure for scan abort msg that is posted to mc thread. In limProcessMessages, we typecast the bodyptr to tSirMbMsg and use data variable which results in slab out of bounds bug. Fix is to typecast the bodyptr to tSirSmeScanAbortReq in limProcessMessages. Change-Id: Iabeeabcba64ccc30895f57cbe40d969f1a9e6dca CRs-Fixed: 2031160 Bug: 37082991 Signed-off-by: Srinivas Girigowda --- .../qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c index 9a665b8f5258..fd2759289562 100644 --- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c +++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c @@ -1366,12 +1366,10 @@ limProcessMessages(tpAniSirGlobal pMac, tpSirMsgQ limMsg) case eWNI_SME_SCAN_ABORT_IND: { - tSirMbMsg *pMsg = limMsg->bodyptr; - tANI_U8 sessionId; + tSirSmeScanAbortReq *pMsg = (tSirSmeScanAbortReq *) limMsg->bodyptr; if (pMsg) { - sessionId = (tANI_U8) pMsg->data[0]; - limProcessAbortScanInd(pMac, sessionId); + limProcessAbortScanInd(pMac, pMsg->sessionId); vos_mem_free((v_VOID_t *)limMsg->bodyptr); limMsg->bodyptr = NULL; }