qcacld-2.0: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin
psessionEntry->pSchBeaconFrameBegin is allocated with fix length SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding psessionEntry->pSchBeaconFrameBegin. Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8 CRs-Fixed: 2577682
This commit is contained in:
parent
ae2ae2b6c2
commit
7950bc21b7
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
|
* Copyright (c) 2012-2016, 2019 The Linux Foundation. All rights reserved.
|
||||||
*
|
*
|
||||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||||
*
|
*
|
||||||
|
@ -810,6 +810,12 @@ void writeBeaconToMemory(tpAniSirGlobal pMac, tANI_U16 size, tANI_U16 length, tp
|
||||||
// copy end of beacon only if length > 0
|
// copy end of beacon only if length > 0
|
||||||
if (length > 0)
|
if (length > 0)
|
||||||
{
|
{
|
||||||
|
if (size + psessionEntry->schBeaconOffsetEnd > SCH_MAX_BEACON_SIZE) {
|
||||||
|
schLog(pMac, LOGE,
|
||||||
|
FL("beacon template fail size %d BeaconOffsetEnd %d"),
|
||||||
|
size, psessionEntry->schBeaconOffsetEnd);
|
||||||
|
return;
|
||||||
|
}
|
||||||
for (i=0; i < psessionEntry->schBeaconOffsetEnd; i++)
|
for (i=0; i < psessionEntry->schBeaconOffsetEnd; i++)
|
||||||
psessionEntry->pSchBeaconFrameBegin[size++] = psessionEntry->pSchBeaconFrameEnd[i];
|
psessionEntry->pSchBeaconFrameBegin[size++] = psessionEntry->pSchBeaconFrameEnd[i];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue