qcacld-3.0: Fix possible integer overflow in lim
In the function lim_process_sme_update_access_policy_vendor_ie,
update_vendor_ie is parsed from the incomming msg. num_bytes is
the length of the IE and is retrived as
update_vendor_ie->ie[1]+2. This num_bytes value is used as the
size to copy the IE to pe_session_entry->access_policy_vendor_ie
The update_vendor_ie->ie[1] can have a maximum value of
SIR_MAC_MAX_IE_LENGTH . As the num_bytes is of uint8_t,a
possible integer overflow can occur in
lim_process_sme_update_access_policy_vendor_ie when num_bytes is
assigned with update_vendor_ie->ie[1].
Change the data type of the num_bytes to uint16_t so that it can
hold the value of update_vendor_ie->ie[1] without truncation.
Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97
CRs-Fixed: 2235044
1 file changed