Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Avoid integer overflow in lim_update_ibss_prop_add_ies 

In function lim_update_ibss_prop_add_ies size of a malloc is based on
sum of two integers. Add check for integer overflow before malloc.

Change-Id: I53ad59f0a38b102d714fa8cfe9471b52935d8376
CRs-Fixed: 2116415
This commit is contained in:
gaurank kathpalia 2017-10-24 12:35:32 +05:30 committed by L R
parent 31311f3a45
commit 2edeb9e6fe
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
View File

@ -6575,8 +6575,17 @@ limUpdateIBssPropAddIEs(tpAniSirGlobal pMac, tANI_U8 **pDstData_buff,
vos_mem_copy(vendor_ie, pModifyIE->pIEBuffer,
pModifyIE->ieBufferlength);
} else {
uint16_t new_length = pModifyIE->ieBufferlength + *pDstDataLen;
uint8_t *new_ptr = vos_mem_malloc(new_length);
uint8_t *new_ptr;
uint16_t new_length;
if (USHRT_MAX - pModifyIE->ieBufferlength < *pDstDataLen) {
limLog(pMac,LOGE,FL("U16 overflow due to %d + %d"),
pModifyIE->ieBufferlength, *pDstDataLen);
return false;
}
new_length = pModifyIE->ieBufferlength + *pDstDataLen;
new_ptr = vos_mem_malloc(new_length);
if (NULL == new_ptr) {
limLog(pMac, LOGE, FL("Memory allocation failed."));