qcacld-3.0: Validate extscan channel list size In function __wlan_hdd_cfg80211_extscan_get_valid_channel, Valid channel list length is limited to 100. But if the channel list size in NL request buffer is larger, it can cause a buffer overflow situation while filling the channel list in the request buffer. Change-Id: Ie6226934af3e40817ef4b44007915c36e501fd56 CRs-Fixed: 1083022

commit: db4851832c1355a9b631000fb201cd9b9cfe44b4 [log] [tgz]
author: Manjeet Singh <manjee@codeaurora.org> Wed Nov 09 19:11:01 2016 +0530
committer: qcabuildsw <qcabuildsw@localhost> Mon Dec 12 17:06:06 2016 -0800
tree: d9dd64aa7dafb9f49a5d6f20d9b300c240c5079f
parent: fd51d8fbfea8b73c0e85db17e7d908e81868564f [diff] [blame]
diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index e68da67..581f6e6 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c

@@ -2565,6 +2565,13 @@
 	maxChannels =
 		nla_get_u32(tb
 		    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS]);
+
+	if (maxChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) {
+		hdd_err("Max channels %d exceeded Valid channel list len %d",
+			maxChannels, WNI_CFG_VALID_CHANNEL_LIST_LEN);
+		return -EINVAL;
+	}
+
 	hdd_notice("Req Id: %u Wifi band: %d Max channels: %d", requestId,
 		    wifiBand, maxChannels);
 	status = sme_get_valid_channels_by_band((tHalHandle) (pHddCtx->hHal),
commit	db4851832c1355a9b631000fb201cd9b9cfe44b4	[log] [tgz]
author	Manjeet Singh <manjee@codeaurora.org>	Wed Nov 09 19:11:01 2016 +0530
committer	qcabuildsw <qcabuildsw@localhost>	Mon Dec 12 17:06:06 2016 -0800
tree	d9dd64aa7dafb9f49a5d6f20d9b300c240c5079f
parent	fd51d8fbfea8b73c0e85db17e7d908e81868564f [diff] [blame]