diff options
| author | CNSS_WLAN Service <cnssbldsw@qualcomm.com> | 2019-05-07 02:50:04 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-05-07 02:50:04 -0700 |
| commit | 07e306dabafc72155a722c325f3834c25b4bacfb (patch) | |
| tree | 3e1499e41b13a88ae5bedacbf0bf4e319b0a4d32 | |
| parent | 2c38e20677eba0e3fbcdd76ec2f0293861b3cdea (diff) | |
| parent | b81d814d8e5fed8839d70771d159f395c5f3bda9 (diff) | |
Merge "qcacld-2.0: Fix OOB read in sme_RrmProcessBeaconReportReqInd" into wlan-cld2.driver.lnx.1.0
| -rw-r--r-- | CORE/SME/src/rrm/sme_rrm.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/CORE/SME/src/rrm/sme_rrm.c b/CORE/SME/src/rrm/sme_rrm.c index 246a2d90eb8f..0ce0fef05092 100644 --- a/CORE/SME/src/rrm/sme_rrm.c +++ b/CORE/SME/src/rrm/sme_rrm.c @@ -937,6 +937,12 @@ eHalStatus sme_RrmProcessBeaconReportReqInd(tpAniSirGlobal pMac, void *pMsgBuf) #if defined WLAN_VOWIFI_DEBUG smsLog( pMac, LOGE, "Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum ); #endif + + if (pBeaconReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS) { + smsLog( pMac, LOGP, "Beacon report request numChannels: %u exceeds " + "max num channels", pBeaconReq->channelList.numChannels); + return eHAL_STATUS_FAILURE; + } //section 11.10.8.1 (IEEE Std 802.11k-2008) //channel 0 and 255 has special meaning. if( (pBeaconReq->channelInfo.channelNum == 0) || |