Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin 

psessionEntry->pSchBeaconFrameBegin is allocated with fix length
SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding
psessionEntry->pSchBeaconFrameBegin.

Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8
CRs-Fixed: 2577682
This commit is contained in:
bings 2019-11-29 15:37:56 +08:00 committed by syphyr
parent ae2ae2b6c2
commit 7950bc21b7
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/sch/schBeaconGen.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2016, 2019 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@ -810,6 +810,12 @@ void writeBeaconToMemory(tpAniSirGlobal pMac, tANI_U16 size, tANI_U16 length, tp
// copy end of beacon only if length > 0
if (length > 0)
{
if (size + psessionEntry->schBeaconOffsetEnd > SCH_MAX_BEACON_SIZE) {
schLog(pMac, LOGE,
FL("beacon template fail size %d BeaconOffsetEnd %d"),
size, psessionEntry->schBeaconOffsetEnd);
return;
}
for (i=0; i < psessionEntry->schBeaconOffsetEnd; i++)
psessionEntry->pSchBeaconFrameBegin[size++] = psessionEntry->pSchBeaconFrameEnd[i];
}