Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0aa702fc authored by Pragaspathi Thilagaraj's avatar Pragaspathi Thilagaraj Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() 

In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.

Validate the len against total IE length to avoid overflow.

Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329
parent 7564e615

core/mac/src/pe/rrm/rrm_api.c

+10 −3
Original line number Diff line number Diff line
@@ -745,12 +745,19 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, 
	}



	while (BcnNumIes > 0) {

		len = *(pBcnIes + 1) + 2;       /* element id + length. */

		len = *(pBcnIes + 1);

		len += 2;       /* element id + length. */

		pe_debug("EID = %d, len = %d total = %d",

			*pBcnIes, *(pBcnIes + 1), len);



		if (!len) {

			pe_err("Invalid length");

		if (BcnNumIes < len) {

			pe_err("RRM: Invalid IE len:%d exp_len:%d",

			       len, BcnNumIes);

			break;

		}



		if (len <= 2) {

			pe_err("RRM: Invalid IE");

			break;

		}