qcacld-3.0: Fix buffer overwrite in lim_send_probe_rsp_template_to_hal
In function lim_send_probe_rsp_template_to_hal, memset is done for the
allocated packet for length nBytes which is calculated as size of payload +
MAC header + addn_ielen.
However, the buffer used psessionEntry->pSchProbeRspTemplate is allocated
for length 512 (SCH_MAX_PROBE_RESP_SIZE) only as part of create session.
This leads to a potential overflow of the memory if nBytes calculated is
greater than 512 leading to kernel panic while freeing the memory in
delete session.
Add sanity check to make sure we do not exceed the SCH_MAX_PROBE_RESP_SIZE
before doing a memset on the buffer.
Change-Id: I4657d34a429b1f0c11ac8ca24869727c222669b8
CRs-Fixed: 2160086
1 file changed