qcacld-3.0: Fix Integer overflow while sending beacon report

sme_ese_send_beacon_req_scan_results sends number of bss description
present in beacon report through bcn_report->numBss. For each
iteration driver could send max 4 BSS. In case if driver has to send
beacon report for more than 4 BSS, It sends 4 BSS per iteration. Once
first four results are sent and bcn_report->numBss is not set to 0,
in next iteration bcn_report->numBss++ start from 4 instead of 0.
This Result in sending value more than 4 instead of 4 for next rest
BSS and leads to Integer overflow for bcn_report->numBss.

Driver should memset beacon_rep buffer for each iteration in order to
prevent Integer overflow of bcn_report->numBss. By this driver
could send fresh beacon report (independent of previous beacon report)
in each iteration.

Fix is to memset beacon_rep buffer to zero after sending beacon
report in each iteration in sme_ese_send_beacon_req_scan_results.

Change-Id: I0d07e54ec7f05e8eef388f9958fad597dc49873e
CRs-Fixed: 2408834

1 files changed, 5 insertions, 3 deletions

diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c
index 34b672f080a5..c36335471447 100644
--- a/core/sme/src/rrm/sme_rrm.c
+++ b/core/sme/src/rrm/sme_rrm.c
@@ -296,9 +296,11 @@ static QDF_STATUS sme_ese_send_beacon_req_scan_results(
 	if (result_arr)
 		cur_result = result_arr[bss_counter];
 
-	qdf_mem_zero(&bcn_rpt_rsp, sizeof(tSirEseBcnReportRsp));
 	do {
 		cur_meas_req = NULL;
+		/* memset bcn_rpt_rsp for each iteration */
+		qdf_mem_zero(&bcn_rpt_rsp, sizeof(bcn_rpt_rsp));
+
 		for (i = 0; i < rrm_ctx->eseBcnReqInfo.numBcnReqIe; i++) {
 			if (rrm_ctx->eseBcnReqInfo.bcnReq[i].channel ==
 				channel) {
@@ -357,9 +359,9 @@ static QDF_STATUS sme_ese_send_beacon_req_scan_results(
 			bcn_report->numBss++;
 			if (++j >= SIR_BCN_REPORT_MAX_BSS_DESC)
 				break;
-			if (j >= bss_count)
+			if ((bss_counter + j) >= bss_count)
 				break;
-			cur_result = result_arr[j];
+			cur_result = result_arr[bss_counter + j];
 		}
 
 		bss_counter += j;