qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()
In function rrmFillBeaconIes, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 bytr and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe. Validate the len against total IE length to avoid overfloa. Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2617005
This commit is contained in:
parent
47e4e3d2af
commit
9354ce454d
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -710,10 +710,16 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,
|
|||
|
||||
while ( BcnNumIes > 0 )
|
||||
{
|
||||
len = *(pBcnIes + 1) + 2; //element id + length.
|
||||
len = *(pBcnIes + 1);
|
||||
len += 2; //element id + length.
|
||||
limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
|
||||
*pBcnIes, *(pBcnIes+1), len );
|
||||
|
||||
if (BcnNumIes < len) {
|
||||
limLog(pMac, LOGE, "RRM: Invalid IE len: %d, exp_len: %d",
|
||||
len, BcnNumIes);
|
||||
break;
|
||||
}
|
||||
i = 0;
|
||||
do
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue