wlan: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin
psessionEntry->pSchBeaconFrameBegin is allocated with fix length
SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding
psessionEntry->pSchBeaconFrameBegin.
Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8
CRs-Fixed: 2579375
diff --git a/CORE/MAC/src/pe/sch/schBeaconGen.c b/CORE/MAC/src/pe/sch/schBeaconGen.c
index 19553ad..6c0b520 100644
--- a/CORE/MAC/src/pe/sch/schBeaconGen.c
+++ b/CORE/MAC/src/pe/sch/schBeaconGen.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -797,6 +797,13 @@
// copy end of beacon only if length > 0
if (length > 0)
{
+ if (size + pMac->sch.schObject.gSchBeaconOffsetEnd >
+ SCH_MAX_BEACON_SIZE) {
+ PELOGE(schLog(pMac, LOGE,
+ FL("beacon template fail size %d BeaconOffsetEnd %d"),
+ size, pMac->sch.schObject.gSchBeaconOffsetEnd);)
+ return;
+ }
for (i=0; i < pMac->sch.schObject.gSchBeaconOffsetEnd; i++)
pMac->sch.schObject.gSchBeaconFrameBegin[size++] = pMac->sch.schObject.gSchBeaconFrameEnd[i];
}