qcacld-3.0: Fix buffer overflow in __lim_process_roam_scan_offload_req
In validation code, change condition local_ie_len <= to always less than
QDF_ARRAY_SIZE(array) value, to avoid buffer overflow.
Change-Id: I9612ce6e922dd481747253b3b35d74060439c159
CRs-Fixed: 1082162
diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
index 9bf72ec..ace88d8 100644
--- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
@@ -4156,16 +4156,17 @@
local_ie_buf = qdf_mem_malloc(MAX_DEFAULT_SCAN_IE_LEN);
if (!local_ie_buf) {
- lim_log(mac_ctx, LOGE, FL("Mem Alloc failed for local_ie_buf"));
+ lim_log(mac_ctx, LOGE,
+ FL("Mem Alloc failed for local_ie_buf"));
return;
}
local_ie_len = req_buffer->assoc_ie.length;
/* Update ext cap IE if present */
if (local_ie_len &&
- !lim_update_ext_cap_ie(mac_ctx, req_buffer->assoc_ie.addIEdata,
- local_ie_buf, &local_ie_len)) {
- if (local_ie_len <=
+ !lim_update_ext_cap_ie(mac_ctx, req_buffer->assoc_ie.addIEdata,
+ local_ie_buf, &local_ie_len)) {
+ if (local_ie_len <
QDF_ARRAY_SIZE(req_buffer->assoc_ie.addIEdata)) {
req_buffer->assoc_ie.length = local_ie_len;
qdf_mem_copy(req_buffer->assoc_ie.addIEdata,