Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f950e558 authored by bings's avatar bings
Browse files

wlan: fix buffer overflow in psessionEntry->pSchBeaconFrameBegin 

psessionEntry->pSchBeaconFrameBegin is allocated with fix length
SCH_MAX_BEACON_SIZE. Do not copy the value to the buffer exceeding
psessionEntry->pSchBeaconFrameBegin.

Change-Id: I539692c01753b991a963b0416177cf5b474cfdf8
CRs-Fixed: 2579375
parent 7458081a

CORE/MAC/src/pe/sch/schBeaconGen.c

+8 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved.

 *

 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.

 *
@@ -797,6 +797,13 @@ void writeBeaconToMemory(tpAniSirGlobal pMac, tANI_U16 size, tANI_U16 length, tp 
    // copy end of beacon only if length > 0

    if (length > 0)

    {

        if (size + pMac->sch.schObject.gSchBeaconOffsetEnd >

            SCH_MAX_BEACON_SIZE) {

            PELOGE(schLog(pMac, LOGE,

                   FL("beacon template fail size %d BeaconOffsetEnd %d"),

                   size, pMac->sch.schObject.gSchBeaconOffsetEnd);)

            return;

        }

        for (i=0; i < pMac->sch.schObject.gSchBeaconOffsetEnd; i++)

            pMac->sch.schObject.gSchBeaconFrameBegin[size++] = pMac->sch.schObject.gSchBeaconFrameEnd[i];

    }