wlan: Fix to validate numSSID and bssType in scan request path This commit adds check to validate numSSID to avoid out of buffer operations and also a check to bssType to make sure that it is non-negative. CRs-Fixed: 830193 Change-Id: I164b4d2bb16f8ee88d9ca697d5505bce1628a75e

commit: d9205945466a6ad4fe9092dc38e8adffec8ed4e3 [log] [tgz]
author: Abhishek Singh <absingh@qti.qualcomm.com> Wed Apr 29 14:45:36 2015 +0530
committer: Satyanarayana Dash <c_sadash@qti.qualcomm.com> Thu Apr 30 18:09:59 2015 +0530
tree: b5e2eead6f386e3ffdb115094f389262cadcfd6f
parent: 8659217f298b8d6b0b082af9bff465dcafc5a38c [diff] [blame]
diff --git a/CORE/MAC/src/pe/lim/limSmeReqUtils.c b/CORE/MAC/src/pe/lim/limSmeReqUtils.c
index 1f87270..42689a2 100644
--- a/CORE/MAC/src/pe/lim/limSmeReqUtils.c
+++ b/CORE/MAC/src/pe/lim/limSmeReqUtils.c

@@ -855,6 +855,13 @@
     tANI_U8 valid = true;
     tANI_U8 i = 0;
 
+    if (pScanReq->numSsid > SIR_SCAN_MAX_NUM_SSID)
+    {
+        valid = false;
+        limLog(pMac, LOGE, FL("Number of SSIDs > SIR_SCAN_MAX_NUM_SSID"));
+        goto end;
+    }
+
     for (i = 0; i < pScanReq->numSsid; i++)
     {
         if (pScanReq->ssId[i].length > SIR_MAC_MAX_SSID_LENGTH)
@@ -865,7 +872,7 @@
             goto end;    
         }
     }
-    if (pScanReq->bssType > eSIR_AUTO_MODE)
+    if ((pScanReq->bssType < 0) || (pScanReq->bssType > eSIR_AUTO_MODE))
     {
         limLog(pMac, LOGE, FL("Invalid BSS Type"));
         valid = false;
commit	d9205945466a6ad4fe9092dc38e8adffec8ed4e3	[log] [tgz]
author	Abhishek Singh <absingh@qti.qualcomm.com>	Wed Apr 29 14:45:36 2015 +0530
committer	Satyanarayana Dash <c_sadash@qti.qualcomm.com>	Thu Apr 30 18:09:59 2015 +0530
tree	b5e2eead6f386e3ffdb115094f389262cadcfd6f
parent	8659217f298b8d6b0b082af9bff465dcafc5a38c [diff] [blame]