qcacld-3.0: Fix possible integer overflow in lim

In the function lim_process_sme_update_access_policy_vendor_ie,
update_vendor_ie is parsed from the incomming msg. num_bytes is
the length of the IE and is retrived as
update_vendor_ie->ie[1]+2. This num_bytes value is used as the
size to copy the IE to pe_session_entry->access_policy_vendor_ie
The update_vendor_ie->ie[1] can have a maximum value of
SIR_MAC_MAX_IE_LENGTH. As the num_bytes is of uint8_t,a
possible integer overflow can occur in
lim_process_sme_update_access_policy_vendor_ie when num_bytes is
assigned with update_vendor_ie->ie[1].

Change the data type of the num_bytes to uint16_t so that it can
hold the value of update_vendor_ie->ie[1] without truncation.

Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97
CRs-Fixed: 2235044

1 files changed, 1 insertions, 1 deletions

diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
index e8c256b23f2f..254500460b6d 100644
--- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
@@ -5068,7 +5068,7 @@ static void lim_process_sme_update_access_policy_vendor_ie(
 {
 	struct sme_update_access_policy_vendor_ie *update_vendor_ie;
 	struct sPESession *pe_session_entry;
-	uint8_t num_bytes;
+	uint16_t num_bytes;
 
 	if (!msg) {
 		pe_err("Buffer is Pointing to NULL");