qcacld-2.0: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin
psessionEntry->pSchBeaconFrameBegin is allocated with fix length SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding psessionEntry->pSchBeaconFrameBegin. Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8 CRs-Fixed: 2577682
This commit is contained in:
parent
ae2ae2b6c2
commit
7950bc21b7
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2012-2016, 2019 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -810,6 +810,12 @@ void writeBeaconToMemory(tpAniSirGlobal pMac, tANI_U16 size, tANI_U16 length, tp
|
|||
// copy end of beacon only if length > 0
|
||||
if (length > 0)
|
||||
{
|
||||
if (size + psessionEntry->schBeaconOffsetEnd > SCH_MAX_BEACON_SIZE) {
|
||||
schLog(pMac, LOGE,
|
||||
FL("beacon template fail size %d BeaconOffsetEnd %d"),
|
||||
size, psessionEntry->schBeaconOffsetEnd);
|
||||
return;
|
||||
}
|
||||
for (i=0; i < psessionEntry->schBeaconOffsetEnd; i++)
|
||||
psessionEntry->pSchBeaconFrameBegin[size++] = psessionEntry->pSchBeaconFrameEnd[i];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue