wlan: Avoid int overflow in csr_scan_save_preferred_network_found()
Add validation check on frameLength to avoid int overflow in
csr_scan_save_preferred_network_found function.
Issue: SEC-1807
Change-Id: I6bcdfb757610152bc801d5134e62dd58629d1e81
CRs-Fixed: 2232358
Signed-off-by: Gururaj Patil <gururaj.patil3@harman.com>
diff --git a/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c b/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
index 06a34c6..874c223 100644
--- a/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
+++ b/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
@@ -8400,6 +8400,13 @@
uLen = pPrefNetworkFoundInd->frameLength -
(SIR_MAC_HDR_LEN_3A + SIR_MAC_B_PR_SSID_OFFSET);
}
+ if (uLen > (UINT_MAX - sizeof(tCsrScanResult))) {
+ smsLog(pMac, LOGE,
+ FL("Incorrect len: %d, may leads to int overflow, uLen %d"),
+ pPrefNetworkFoundInd->frameLength, uLen);
+ vos_mem_vfree(pParsedFrame);
+ return eHAL_STATUS_FAILURE;
+ }
pScanResult = vos_mem_malloc(sizeof(tCsrScanResult) + uLen);
if ( NULL == pScanResult )