qcacld-3.0: Fix buf_len check in lim_send_sme_wm_status_change_ntf
Function lim_send_sme_wm_status_change_ntf is generic function, where
input buffer length depends on status_change_code. Use same code while
checking as max length of input buffer in memcopy operation.
Change-Id: Ie0d761ce7f85c4be9b164d1a281119560d337e01
CRs-Fixed: 1091486
diff --git a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
index df3a6a8..b1f5a45 100644
--- a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
+++ b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
@@ -1463,6 +1463,7 @@
{
tSirMsgQ msg;
tSirSmeWmStatusChangeNtf *wm_status_change_ntf;
+ uint32_t max_info_len;
wm_status_change_ntf = qdf_mem_malloc(sizeof(tSirSmeWmStatusChangeNtf));
if (NULL == wm_status_change_ntf) {
@@ -1476,6 +1477,18 @@
msg.bodyptr = wm_status_change_ntf;
switch (status_change_code) {
+ case eSIR_SME_AP_CAPS_CHANGED:
+ max_info_len = sizeof(tSirSmeApNewCaps);
+ break;
+ case eSIR_SME_JOINED_NEW_BSS:
+ max_info_len = sizeof(tSirSmeNewBssInfo);
+ break;
+ default:
+ max_info_len = sizeof(wm_status_change_ntf->statusChangeInfo);
+ break;
+ }
+
+ switch (status_change_code) {
case eSIR_SME_RADAR_DETECTED:
break;
default:
@@ -1484,8 +1497,7 @@
wm_status_change_ntf->statusChangeCode = status_change_code;
wm_status_change_ntf->length = sizeof(tSirSmeWmStatusChangeNtf);
wm_status_change_ntf->sessionId = session_id;
- if (sizeof(wm_status_change_ntf->statusChangeInfo) >=
- info_len) {
+ if (info_len <= max_info_len && status_change_info) {
qdf_mem_copy(
(uint8_t *) &wm_status_change_ntf->statusChangeInfo,
(uint8_t *) status_change_info, info_len);