qcacmn: Fix OOB read in util_scan_gen_scan_entry qdf_mem_copy() is called in util_scan_gen_scan_entry() to copy the ssid into scan_entry using a length of WLAN_SSID_MAX_LEN. Because the length of ssid is only checked against the maximum value this will result in an OOB read of up to WLAN_SSID_MAX_LEN bytes. Change-Id: I150e7c7a75e7134cab1c4abeb799578166400461 CRs-Fixed: 2341004

commit: ab6c10d3bdba099b456886aa44ceb0ebdaebb799 [log] [tgz]
author: Harprit Chhabada <harpritchhabada@codeaurora.org> Wed Oct 31 10:52:34 2018 -0700
committer: nshrivas <nshrivas@codeaurora.org> Tue Nov 06 16:16:11 2018 -0800
tree: ade93562e9ddab4c46ac1f7735cc02b4fff6c7f5
parent: dc949c59bea39fc3042944b112afbe192a48f2ba [diff] [blame]
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 4b2691a..ac6e2bc 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -1084,7 +1084,7 @@
 		scan_entry->ie_list.ssid = NULL;
 	} else {
 		qdf_mem_copy(scan_entry->ssid.ssid,
-				ssid->ssid, WLAN_SSID_MAX_LEN);
+				ssid->ssid, ssid->ssid_len);
 		scan_entry->ssid.length = ssid->ssid_len;
 		scan_entry->hidden_ssid_timestamp =
 			scan_entry->scan_entry_time;
commit	ab6c10d3bdba099b456886aa44ceb0ebdaebb799	[log] [tgz]
author	Harprit Chhabada <harpritchhabada@codeaurora.org>	Wed Oct 31 10:52:34 2018 -0700
committer	nshrivas <nshrivas@codeaurora.org>	Tue Nov 06 16:16:11 2018 -0800
tree	ade93562e9ddab4c46ac1f7735cc02b4fff6c7f5
parent	dc949c59bea39fc3042944b112afbe192a48f2ba [diff] [blame]