wlan: Remove off-by-one write condition in sch_beacon_process
In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.
Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.
Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2598900
diff --git a/CORE/MAC/inc/sirMacProtDef.h b/CORE/MAC/inc/sirMacProtDef.h
index b7e4ce9..02c94d2 100644
--- a/CORE/MAC/inc/sirMacProtDef.h
+++ b/CORE/MAC/inc/sirMacProtDef.h
@@ -1103,11 +1103,11 @@
tANI_U8 rate[SIR_MAC_RATESET_EID_MAX];
} __ani_attr_packed tSirMacRateSet;
-
+//Reserve 1 byte for NULL character in the SSID name field to print in %s
typedef __ani_attr_pre_packed struct sSirMacSSid
{
tANI_U8 length;
- tANI_U8 ssId[32];
+ tANI_U8 ssId[SIR_MAC_MAX_SSID_LENGTH + 1];
} __ani_attr_packed tSirMacSSid;
typedef __ani_attr_pre_packed struct sSirMacWpaInfo
diff --git a/CORE/MAC/src/pe/sch/schBeaconProcess.c b/CORE/MAC/src/pe/sch/schBeaconProcess.c
index ef899bd..2dc4a1f 100644
--- a/CORE/MAC/src/pe/sch/schBeaconProcess.c
+++ b/CORE/MAC/src/pe/sch/schBeaconProcess.c
@@ -759,10 +759,6 @@
return;
}
- if (beaconStruct.ssidPresent)
- {
- beaconStruct.ssId.ssId[beaconStruct.ssId.length] = 0;
- }
/*
* First process the beacon in the context of any existing AP or BTAP session.