qcacmn: Fix OOB read in util_scan_gen_scan_entry
qdf_mem_copy() is called in util_scan_gen_scan_entry() to copy the ssid
into scan_entry using a length of WLAN_SSID_MAX_LEN. Because the length
of ssid is only checked against the maximum value this will result
in an OOB read of up to WLAN_SSID_MAX_LEN bytes.
Change-Id: I150e7c7a75e7134cab1c4abeb799578166400461
CRs-Fixed: 2341004
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 4b2691a..ac6e2bc 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -1084,7 +1084,7 @@
scan_entry->ie_list.ssid = NULL;
} else {
qdf_mem_copy(scan_entry->ssid.ssid,
- ssid->ssid, WLAN_SSID_MAX_LEN);
+ ssid->ssid, ssid->ssid_len);
scan_entry->ssid.length = ssid->ssid_len;
scan_entry->hidden_ssid_timestamp =
scan_entry->scan_entry_time;