Merge "wlan: Fix integer overflow in rrm_fill_beacon_ies()" into wlan-driver.lnx.1.0
diff --git a/CORE/MAC/src/pe/rrm/rrmApi.c b/CORE/MAC/src/pe/rrm/rrmApi.c
index a397069..d43dc9c 100644
--- a/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -678,7 +678,8 @@
tANI_U8 *eids, tANI_U8 numEids,
tpSirBssDescription pBssDesc )
{
- tANI_U8 len, *pBcnIes, BcnNumIes, count = 0, i;
+ tANI_U8 len, *pBcnIes, count = 0, i;
+ tANI_U16 BcnNumIes = 0;
if( (pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL) )
{
@@ -705,10 +706,17 @@
while ( BcnNumIes > 0 )
{
- len = *(pBcnIes + 1) + 2; //element id + length.
+ len = *(pBcnIes + 1); //element id + length.
+ len += 2;
limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
*pBcnIes, *(pBcnIes+1), len );
+ if (BcnNumIes < len || len <= 2) {
+ limLog(pMac, LOGE, "RRM: Invalid IE len:%d exp_len:%d",
+ len, BcnNumIes);
+ break;
+ }
+
i = 0;
do
{