wlan: Memory corruption fix
Memory corruption happen due to not properly set MSG element. Garbage
argument value will make overwrite memory area
Change-Id: I677b86def8d90207e4090e1d2f3714ce75bffd95
CR-Fixed: 415391
diff --git a/CORE/MAC/src/pe/lim/limSerDesUtils.c b/CORE/MAC/src/pe/lim/limSerDesUtils.c
index 2a92a0c..fae8bb3 100644
--- a/CORE/MAC/src/pe/lim/limSerDesUtils.c
+++ b/CORE/MAC/src/pe/lim/limSerDesUtils.c
@@ -245,31 +245,38 @@
if (limCheckRemainingLength(pMac, len) == eSIR_FAILURE)
return eSIR_FAILURE;
+ /* 3 reserved bytes for padding */
+ pBuf += (3 * sizeof(tANI_U8));
+ len -= 3;
+
pBssDescription->WscIeLen = limGetU32( pBuf );
pBuf += sizeof(tANI_U32);
len -= sizeof(tANI_U32);
if (limCheckRemainingLength(pMac, len) == eSIR_FAILURE)
return eSIR_FAILURE;
- if (pBssDescription->WscIeLen)
+ if (WSCIE_PROBE_RSP_LEN < len)
{
- if(pBssDescription->WscIeLen <= WSCIE_PROBE_RSP_LEN )
- {
- palCopyMemory( pMac->hHdd, (tANI_U8 *) pBssDescription->WscIeProbeRsp,
+ /* Do not copy with WscIeLen
+ * if WscIeLen is not set properly, memory overwrite happen
+ * Ended up with memory corruption and crash
+ * Copy with Fixed size */
+ palCopyMemory( pMac->hHdd, (tANI_U8 *) pBssDescription->WscIeProbeRsp,
pBuf,
- pBssDescription->WscIeLen);
- }
- else
- {
- limLog(pMac, LOGE,
- FL("WscIeLen is greater than WSCIE_PROBE_RSP_LEN= %d\n"),
- pBssDescription->WscIeLen);
- return eSIR_FAILURE;
- }
+ WSCIE_PROBE_RSP_LEN);
+
}
-
- pBuf += WSCIE_PROBE_RSP_LEN;
- len -= WSCIE_PROBE_RSP_LEN;
+ else
+ {
+ limLog(pMac, LOGE,
+ FL("remaining bytes len %d is less than WSCIE_PROBE_RSP_LEN\n"),
+ pBssDescription->WscIeLen);
+ return eSIR_FAILURE;
+ }
+
+ /* 1 reserved byte padding */
+ pBuf += (WSCIE_PROBE_RSP_LEN + 1);
+ len -= (WSCIE_PROBE_RSP_LEN + 1);
if (len > 0)
{