diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2018-08-27 18:26:01 +0530 |
|---|---|---|
| committer | firebird11 <hbgassel@gmail.com> | 2018-11-29 20:15:51 +0100 |
| commit | e0908fdefde6f7b95e1675e0e6383793e7071e22 (patch) | |
| tree | 41dac6c716e43910194ee8341a7d908849155c96 | |
| parent | e0ac244f5a4e57460ac6cf0e3df0e0b999791556 (diff) | |
prima: Reset Maximum allowable size of a beacon frame
While updating probe response template, driver uses
probeRespTemplateLen as the maximum allowable size of beacon frame.
In case if the content of probeRespTemplateLen is greater than
SCH_MAX_PROBE_RESP_SIZE (700) results in Buffer Overflow while
copying probeRespTemplate buffer to local buffer.
Fix is to validate probeRespTemplateLen against maximum allowable
size (SCH_MAX_PROBE_RESP_SIZE) and if probeRespTemplateLen is
greater than maximum then reset to SCH_MAX_PROBE_RESP_SIZE.
Change-Id: Iccc8e63c78b104d0c2ba5a6995e72c47ac8f8e25
CRs-Fixed: 2303693
| -rw-r--r-- | drivers/staging/prima/CORE/WDA/src/wlan_qct_wda.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/staging/prima/CORE/WDA/src/wlan_qct_wda.c b/drivers/staging/prima/CORE/WDA/src/wlan_qct_wda.c index 6e506517aa8..d805f298930 100644 --- a/drivers/staging/prima/CORE/WDA/src/wlan_qct_wda.c +++ b/drivers/staging/prima/CORE/WDA/src/wlan_qct_wda.c @@ -7662,6 +7662,10 @@ VOS_STATUS WDA_ProcessUpdateProbeRspTemplate(tWDA_CbContext *pWDA, WDI_Status status = WDI_STATUS_SUCCESS; WDI_UpdateProbeRspTemplateParamsType *wdiSendProbeRspParam = vos_mem_malloc(sizeof(WDI_UpdateProbeRspTemplateParamsType)); + + if(pSendProbeRspParams->probeRespTemplateLen > SCH_MAX_PROBE_RESP_SIZE) + pSendProbeRspParams->probeRespTemplateLen = SCH_MAX_PROBE_RESP_SIZE; + VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO, "------> %s " ,__func__); |