qcacld-2.0: Avoid integer overflow in lim_update_ibss_prop_add_ies
In function lim_update_ibss_prop_add_ies size of a malloc is based on sum of two integers. Add check for integer overflow before malloc. Change-Id: I53ad59f0a38b102d714fa8cfe9471b52935d8376 CRs-Fixed: 2116415
This commit is contained in:
parent
31311f3a45
commit
2edeb9e6fe
|
@ -6575,8 +6575,17 @@ limUpdateIBssPropAddIEs(tpAniSirGlobal pMac, tANI_U8 **pDstData_buff,
|
||||||
vos_mem_copy(vendor_ie, pModifyIE->pIEBuffer,
|
vos_mem_copy(vendor_ie, pModifyIE->pIEBuffer,
|
||||||
pModifyIE->ieBufferlength);
|
pModifyIE->ieBufferlength);
|
||||||
} else {
|
} else {
|
||||||
uint16_t new_length = pModifyIE->ieBufferlength + *pDstDataLen;
|
uint8_t *new_ptr;
|
||||||
uint8_t *new_ptr = vos_mem_malloc(new_length);
|
uint16_t new_length;
|
||||||
|
|
||||||
|
if (USHRT_MAX - pModifyIE->ieBufferlength < *pDstDataLen) {
|
||||||
|
limLog(pMac,LOGE,FL("U16 overflow due to %d + %d"),
|
||||||
|
pModifyIE->ieBufferlength, *pDstDataLen);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
new_length = pModifyIE->ieBufferlength + *pDstDataLen;
|
||||||
|
new_ptr = vos_mem_malloc(new_length);
|
||||||
|
|
||||||
if (NULL == new_ptr) {
|
if (NULL == new_ptr) {
|
||||||
limLog(pMac, LOGE, FL("Memory allocation failed."));
|
limLog(pMac, LOGE, FL("Memory allocation failed."));
|
||||||
|
|
Loading…
Reference in New Issue