qcacld-3.0: Validate extscan channel list size
In function __wlan_hdd_cfg80211_extscan_get_valid_channel,
Valid channel list length is limited to 100. But if the channel list size
in NL request buffer is larger, it can cause a buffer overflow situation
while filling the channel list in the request buffer.
Change-Id: Ie6226934af3e40817ef4b44007915c36e501fd56
CRs-Fixed: 1083022
diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index e68da67..581f6e6 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
@@ -2565,6 +2565,13 @@
maxChannels =
nla_get_u32(tb
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS]);
+
+ if (maxChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) {
+ hdd_err("Max channels %d exceeded Valid channel list len %d",
+ maxChannels, WNI_CFG_VALID_CHANNEL_LIST_LEN);
+ return -EINVAL;
+ }
+
hdd_notice("Req Id: %u Wifi band: %d Max channels: %d", requestId,
wifiBand, maxChannels);
status = sme_get_valid_channels_by_band((tHalHandle) (pHddCtx->hHal),