77a8a13b1b99a6f7b0c335a1ff9a716de0d3dc02 - platform/vendor/qcom-opensource/wlan/qcacld-3.0

commit	77a8a13b1b99a6f7b0c335a1ff9a716de0d3dc02	[log] [tgz]
author	Pragaspathi Thilagaraj <tpragasp@codeaurora.org>	Thu Dec 05 19:55:28 2019 +0530
committer	nshrivas <nshrivas@codeaurora.org>	Fri Dec 27 16:30:28 2019 -0800
tree	1a3500751e3bdd281c73f4a0c5b38c1d36389eb7
parent	16736e9253970eee84e841fd36ae4eecc5e9e281 [diff]

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()

In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.

Validate the len against total IE length to avoid overflow.

Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329

core/mac/src/pe/rrm/rrm_api.c[diff]

1 file changed

tree: 1a3500751e3bdd281c73f4a0c5b38c1d36389eb7

components/
configs/
core/
os_if/
uapi/
Android.mk
Kbuild
Kconfig
Makefile
README.txt