From 9354ce454d757dffbd7403c413918c29dd9a9508 Mon Sep 17 00:00:00 2001
From: bings <bings@codeaurora.org>
Date: Sat, 15 Feb 2020 20:35:55 +0800
Subject: [PATCH] qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()

In function rrmFillBeaconIes, the total IE length is calculated
as sum of length field of the IE and 2 (element id 1 bytr and IE
length field 1 byte). The total IE length is defined of type
uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe.

Validate the len against total IE length to avoid overfloa.
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2617005
---
 .../wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
index 9bdac29d6def..c0afd8f4868b 100644
--- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -710,10 +710,16 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,
 
    while ( BcnNumIes > 0 )
    {
-      len = *(pBcnIes + 1) + 2; //element id + length.
+      len = *(pBcnIes + 1);
+      len += 2;            //element id + length.
       limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
              *pBcnIes, *(pBcnIes+1), len );
 
+      if (BcnNumIes < len) {
+          limLog(pMac, LOGE, "RRM: Invalid IE len: %d, exp_len: %d",
+                 len, BcnNumIes);
+          break;
+      }
       i = 0;
       do
       {