diff options
| author | Rajeev Kumar <rajekuma@codeaurora.org> | 2017-11-17 10:53:58 -0800 |
|---|---|---|
| committer | Oleg Matcovschi <omatcovschi@google.com> | 2018-03-15 15:24:47 -0700 |
| commit | 9454fea252e74c1cd608ce50b863929b28eaafbe (patch) | |
| tree | a88893cbcd28b8f48a6d0c20b9e1f99c97763e96 /net/lapb/lapb_timer.c | |
| parent | 171a2781c3eab8686b11a42e717967c9cabaebfe (diff) | |
qcacld-3.0: Avoid heap overflow during cfg80211 vendor scan request
WLAN driver's vendor scan request handler function declares ie_len
as uint8_t whereas kernel's cfg80211_scan_request ie_len is declared
as size_t. This type mismatch for ie_len leads to WLAN driver allocating
less memory on heap because of implicit integer overflow when kernel's
ie_len(declared as size_t) is bigger than hex 0xFF and when scan request
data is copied it overflows the allocated heap memory.
In WLAN driver's vendor scan request handler declare ie_len and len also
of type size_t such that always correct size heap memory is allocated and
there is no heap overflow during memory copy.
Bug: 72956999
Change-Id: I240113d34c561c7155303b0b8b253c0cbaf7724b
CRs-Fixed: 2145573
Signed-off-by: Ecco Park <eccopark@google.com>
Diffstat (limited to 'net/lapb/lapb_timer.c')
0 files changed, 0 insertions, 0 deletions