wlan: Fix possible buffer overflow
If channel index is greater than the max limit
(MAX_BSS_IN_NEIGHBOR_RPT), then it can result in out of bound
access. Also, if numChannels in scan request is greater than
SIR_ESE_MAX_MEAS_IE_REQS, then it can result in out of bound
access in limSendHalStartScanOffloadReq.
Add a check on index variable against MAX_BSS_IN_NEIGHBOR_RPT
in csrNeighborRoamCreateChanListFromNeighborReport and limit
the value of pScanReq->channelList.numChannels to
SIR_ESE_MAX_MEAS_IE_REQS in limSendHalStartScanOffloadReq
to make sure numChannel should not exceed the max limit.
Change-Id: Ic602443125cc30535018d23bd3f941307888c37e
CRs-Fixed: 2195886
diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
index 5276aa4..59934c6 100644
--- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
+++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
@@ -1121,6 +1121,8 @@
tSirMsgQ msg;
tANI_U16 i, len;
tSirRetStatus rc = eSIR_SUCCESS;
+ if (pScanReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS)
+ pScanReq->channelList.numChannels = SIR_ESE_MAX_MEAS_IE_REQS;
/* The tSirScanOffloadReq will reserve the space for first channel,
so allocate the memory for (numChannels - 1) and uIEFieldLen */
diff --git a/CORE/SME/src/csr/csrNeighborRoam.c b/CORE/SME/src/csr/csrNeighborRoam.c
index 8663269..e1c5d1a 100644
--- a/CORE/SME/src/csr/csrNeighborRoam.c
+++ b/CORE/SME/src/csr/csrNeighborRoam.c
@@ -3392,7 +3392,7 @@
break;
}
- if (i == numChannels)
+ if (i == numChannels && i < MAX_BSS_IN_NEIGHBOR_RPT)
{
if (pNeighborBssDesc->pNeighborBssDescription->channel)
{