Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 7a048f72e39bf3140760841e3e1c9734a5adac6b
commit7a048f72e39bf3140760841e3e1c9734a5adac6b[log] [tgz]
authorAbhinav Kumar <abhikuma@codeaurora.org>Tue Mar 05 12:06:33 2019 +0530
committernshrivas <nshrivas@codeaurora.org>Wed Mar 06 10:59:50 2019 -0800
tree9d7976cd53ca0f111b489e345aa2eb33224cebe0
parentfeba0b1d96b162b0871220fe221fd4bb5001667c [diff]
qcacld-3.0: Fix Integer overflow while sending beacon report

sme_ese_send_beacon_req_scan_results sends number of bss description
present in beacon report through bcn_report->numBss. For each
iteration driver could send max 4 BSS. In case if driver has to send
beacon report for more than 4 BSS, It sends 4 BSS per iteration. Once
first four results are sent and bcn_report->numBss is not set to 0,
in next iteration bcn_report->numBss++ start from 4 instead of 0.
This Result in sending value more than 4 instead of 4 for next rest
BSS and leads to Integer overflow for bcn_report->numBss.

Driver should memset beacon_rep buffer for each iteration in order to
prevent Integer overflow of bcn_report->numBss. By this driver
could send fresh beacon report (independent of previous beacon report)
in each iteration.

Fix is to memset beacon_rep buffer to zero after sending beacon
report in each iteration in sme_ese_send_beacon_req_scan_results.

Change-Id: I0d07e54ec7f05e8eef388f9958fad597dc49873e
CRs-Fixed: 2408834
1 file changed
tree: 9d7976cd53ca0f111b489e345aa2eb33224cebe0
  1. components/
  2. configs/
  3. core/
  4. os_if/
  5. uapi/
  6. Android.mk
  7. Kbuild
  8. Kconfig
  9. Makefile
  10. README.txt