Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d58c6b7a authored by Jingxiang Ge's avatar Jingxiang Ge
Browse files

qcacld-3.0: Add length check in wma_update_beacon_noa_ie 

It may cause out of bound access if length exceed
SIR_MAX_BEACON_SIZE.

Add length check to protect that.

Change-Id: I6581b62aa8b380a0f1195a16515ad635a9154023
CRs-Fixed: 3147267
parent 6e6ebf7e

core/wma/src/wma_power.c

+9 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1193,6 +1194,14 @@ static void wma_update_beacon_noa_ie(struct beacon_info *bcn, 
		bcn->noa_ie = buf + bcn->len;

	}



	if (bcn->len + sizeof(struct p2p_ie) + new_noa_sub_ie_len >

	    SIR_MAX_BEACON_SIZE) {

		wma_err("exceed max beacon length, bcn->len %d, new_noa_sub_ie_len %d, p2p len %u",

			bcn->len, new_noa_sub_ie_len,

			(uint32_t)sizeof(struct p2p_ie));

		return;

	}



	bcn->noa_sub_ie_len = new_noa_sub_ie_len;

	wma_add_p2p_ie(bcn->noa_ie);

	p2p_ie = (struct p2p_ie *)bcn->noa_ie;