qcacld-2.0: Fix buffer overflow

In limInitPeerIdxpool, driver initializes gLimAssocStaLimit/
gLimIbssStaLimit entries of peer index pool. But there is a chance
of allocating less memory for peer index pool in peCreateSession
which can overwrite adjacent memory locations as maxStation can be
different from gLimAssocStaLimit/gLimIbssStaLimit. Fix this by
initializing maxStation entries. Also, add change in
limCreateSessionForRemainOnChn to use pMac->lim.maxStation as
no of entries.

Change-Id: I915e67fe7a15ebe622273af971d8a88ad78585cf
CRs-Fixed: 1025378

2 files changed, 2 insertions, 3 deletions

diff --git a/CORE/MAC/src/pe/lim/limAIDmgmt.c b/CORE/MAC/src/pe/lim/limAIDmgmt.c
index 26d27159ca96..d26a23b07dd0 100644
--- a/CORE/MAC/src/pe/lim/limAIDmgmt.c
+++ b/CORE/MAC/src/pe/lim/limAIDmgmt.c
@@ -76,7 +76,7 @@ void
 limInitPeerIdxpool(tpAniSirGlobal pMac,tpPESession pSessionEntry)
 {
     tANI_U8 i;
-    tANI_U8 maxAssocSta = pMac->lim.gLimAssocStaLimit;
+    tANI_U8 maxAssocSta = pMac->lim.maxStation;
 
     pSessionEntry->gpLimPeerIdxpool[0]=0;
 
@@ -92,7 +92,6 @@ limInitPeerIdxpool(tpAniSirGlobal pMac,tpPESession pSessionEntry)
 #ifdef QCA_IBSS_SUPPORT
     if (LIM_IS_IBSS_ROLE(pSessionEntry)) {
         pSessionEntry->freePeerIdxHead=LIM_START_PEER_IDX;
-        maxAssocSta = pMac->lim.gLimIbssStaLimit;
     }
     else
 #endif
diff --git a/CORE/MAC/src/pe/lim/limP2P.c b/CORE/MAC/src/pe/lim/limP2P.c
index 3f124e8b3688..266c1b218205 100644
--- a/CORE/MAC/src/pe/lim/limP2P.c
+++ b/CORE/MAC/src/pe/lim/limP2P.c
@@ -225,7 +225,7 @@ tSirRetStatus limCreateSessionForRemainOnChn(tpAniSirGlobal pMac, tPESession **p
     {
         if((psessionEntry = peCreateSession(pMac,
            pMac->lim.gpLimRemainOnChanReq->selfMacAddr,
-           &sessionId, 1, eSIR_INFRA_AP_MODE)) == NULL)
+           &sessionId, pMac->lim.maxStation, eSIR_INFRA_AP_MODE)) == NULL)
         {
             limLog(pMac, LOGE, FL("Session Can not be created "));
             /* send remain on chn failure */