qcacld-3.0: Avoid integer overflow in lim_update_ibss_prop_add_ies
In function lim_update_ibss_prop_add_ies size of a malloc is based on
sum of two integers. Add check for integer overflow before malloc.
Change-Id: Ia7f1b306e6eb99ee0cea9f2ef00123ca66a5c062
CRs-Fixed: 2119673
diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
index 968b943..b9da6f7 100644
--- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
@@ -5438,9 +5438,21 @@
qdf_mem_copy(vendor_ie, pModifyIE->pIEBuffer,
pModifyIE->ieBufferlength);
} else {
- uint16_t new_length = pModifyIE->ieBufferlength + *pDstDataLen;
- uint8_t *new_ptr = qdf_mem_malloc(new_length);
+ uint16_t new_length;
+ uint8_t *new_ptr;
+ /*
+ * check for uint16 overflow before using sum of two numbers as
+ * length of size to malloc
+ */
+ if (USHRT_MAX - pModifyIE->ieBufferlength < *pDstDataLen) {
+ pe_err("U16 overflow due to %d + %d",
+ pModifyIE->ieBufferlength, *pDstDataLen);
+ return false;
+ }
+
+ new_length = pModifyIE->ieBufferlength + *pDstDataLen;
+ new_ptr = qdf_mem_malloc(new_length);
if (NULL == new_ptr) {
pe_err("Memory allocation failed");
return false;