qcacld-2.0: Fix buffer overflow

In limInitPeerIdxpool, driver initializes gLimAssocStaLimit/ gLimIbssStaLimit entries of peer index pool. But there is a chance of allocating less memory for peer index pool in peCreateSession which can overwrite adjacent memory locations as maxStation can be different from gLimAssocStaLimit/gLimIbssStaLimit. Fix this by initializing maxStation entries. Also, add change in limCreateSessionForRemainOnChn to use pMac->lim.maxStation as no of entries. Change-Id: I915e67fe7a15ebe622273af971d8a88ad78585cf CRs-Fixed: 1025378
2024-09-21 03:43:03 +00:00 · 2016-06-08 18:29:20 +05:30 · 2016-06-08 18:29:20 +05:30 · 642cca810d
parent 9bf4ae8f5b
commit 642cca810d
2 changed files with 2 additions and 3 deletions
--- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limAIDmgmt.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limAIDmgmt.c
@ -76,7 +76,7 @@ void
 limInitPeerIdxpool(tpAniSirGlobal pMac,tpPESession pSessionEntry)
 {
    tANI_U8 i;
-    tANI_U8 maxAssocSta = pMac->lim.gLimAssocStaLimit;
+    tANI_U8 maxAssocSta = pMac->lim.maxStation;

    pSessionEntry->gpLimPeerIdxpool[0]=0;

@ -92,7 +92,6 @@ limInitPeerIdxpool(tpAniSirGlobal pMac,tpPESession pSessionEntry)
 #ifdef QCA_IBSS_SUPPORT
    if (LIM_IS_IBSS_ROLE(pSessionEntry)) {
        pSessionEntry->freePeerIdxHead=LIM_START_PEER_IDX;
-        maxAssocSta = pMac->lim.gLimIbssStaLimit;
    }
    else
 #endif
--- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limP2P.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limP2P.c
@ -226,7 +226,7 @@ tSirRetStatus limCreateSessionForRemainOnChn(tpAniSirGlobal pMac, tPESession **p
    {
        if((psessionEntry = peCreateSession(pMac,
           pMac->lim.gpLimRemainOnChanReq->selfMacAddr,
-           &sessionId, 1, eSIR_INFRA_AP_MODE)) == NULL)
+           &sessionId, pMac->lim.maxStation, eSIR_INFRA_AP_MODE)) == NULL)
        {
            limLog(pMac, LOGE, FL("Session Can not be created "));
            /* send remain on chn failure */