commit 7231db001aaa0447dda3498a43cd0f2a29b0970c
author Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> Fri Aug 10 15:18:21 2018 +0530
committer Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> Fri Aug 10 15:45:45 2018 +0530
tree d91261ecbe0cac0df1a81bcc718b0c643aff0417
parent 61d1bfe7ce93c89eacd4565af38a399612c3a83b

wlan: Fix buffer overwrite in csrRoamCheckForLinkStatusChange

Fix possible buffer overwrite in csrRoamCheckForLinkStatusChange
function on receiving eSIR_SME_JOINED_NEW_BSS message.

Change-Id: Icf4a39e0a2a291f1c084353985aa7952e3c8e136
CRs-Fixed: 2294790

CORE/SME/src/csr/csrApiRoam.c

diff --git a/CORE/SME/src/csr/csrApiRoam.c b/CORE/SME/src/csr/csrApiRoam.c
index 92437a1..7734e0a 100644
--- a/CORE/SME/src/csr/csrApiRoam.c
+++ b/CORE/SME/src/csr/csrApiRoam.c
@@ -10508,11 +10508,14 @@
                                 if(pNewBss)
                                 {
                                     vos_mem_copy(pIbssLog->bssid, pNewBss->bssId, 6);
-                                    if(pNewBss->ssId.length)
-                                    {
-                                        vos_mem_copy(pIbssLog->ssid, pNewBss->ssId.ssId,
-                                                     pNewBss->ssId.length);
-                                    }
+                                    if(pNewBss->ssId.length >
+                                       VOS_LOG_MAX_SSID_SIZE)
+                                        pNewBss->ssId.length =
+                                                          VOS_LOG_MAX_SSID_SIZE;
+
+                                    vos_mem_copy(pIbssLog->ssid,
+                                                 pNewBss->ssId.ssId,
+                                                 pNewBss->ssId.length);
                                     pIbssLog->operatingChannel = pNewBss->channelNumber;
                                 }
                                 if(HAL_STATUS_SUCCESS(ccmCfgGetInt(pMac, WNI_CFG_BEACON_INTERVAL, &bi)))