Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5755251a authored by Abhinav Kumar's avatar Abhinav Kumar Committed by Gerrit - the friendly Code Review server
Browse files

prima: Fix OOB read in lim_send_chan_switch_action_frame 

In lim_send_chan_switch_action_frame, driver checks every node
in STA hash table when sending action frame. When sending action
frame, the driver will loop through the STA info hash table
(dphHashTable) to find all the STA need to receive unicast action
frame. The STA info stored in hash table (of size 41 bytes) from
the second node to the last, the first node is empty. But the current
loop is looping for 42 bytes (maxstation (of size 41 bytes) + 1)
results Invalid memory access.

Change the loop count to dphHashTable.size in order to stop OOB
read in lim_send_chan_switch_action_frame.

Change-Id: I2ee99d60c282b3f5ad660e3785ad554fb871b816
CRs-Fixed: 2356341
parent 602e0653
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment