wlan: Fix to validate numSSID and bssType in scan request path
This commit adds check to validate numSSID to avoid out of buffer
operations and also a check to bssType to make sure that it is
non-negative.
CRs-Fixed: 830193
Change-Id: I164b4d2bb16f8ee88d9ca697d5505bce1628a75e
diff --git a/CORE/MAC/src/pe/lim/limSmeReqUtils.c b/CORE/MAC/src/pe/lim/limSmeReqUtils.c
index 1f87270..42689a2 100644
--- a/CORE/MAC/src/pe/lim/limSmeReqUtils.c
+++ b/CORE/MAC/src/pe/lim/limSmeReqUtils.c
@@ -855,6 +855,13 @@
tANI_U8 valid = true;
tANI_U8 i = 0;
+ if (pScanReq->numSsid > SIR_SCAN_MAX_NUM_SSID)
+ {
+ valid = false;
+ limLog(pMac, LOGE, FL("Number of SSIDs > SIR_SCAN_MAX_NUM_SSID"));
+ goto end;
+ }
+
for (i = 0; i < pScanReq->numSsid; i++)
{
if (pScanReq->ssId[i].length > SIR_MAC_MAX_SSID_LENGTH)
@@ -865,7 +872,7 @@
goto end;
}
}
- if (pScanReq->bssType > eSIR_AUTO_MODE)
+ if ((pScanReq->bssType < 0) || (pScanReq->bssType > eSIR_AUTO_MODE))
{
limLog(pMac, LOGE, FL("Invalid BSS Type"));
valid = false;