qcacld/pe: Fix to validate numSSID and bssType in scan request path

This commit adds check to validate numSSID to avoid out of buffer
operations and also a check to bssType to make sure that it is
non-negative.

CRs-Fixed: 390362
Change-Id: I4d3712862138091038783629bcd235a999454cb8

1 files changed, 8 insertions, 3 deletions

diff --git a/CORE/MAC/src/pe/lim/limSmeReqUtils.c b/CORE/MAC/src/pe/lim/limSmeReqUtils.c
index b88835c0e115..0eadbbddee29 100644
--- a/CORE/MAC/src/pe/lim/limSmeReqUtils.c
+++ b/CORE/MAC/src/pe/lim/limSmeReqUtils.c
@@ -853,6 +853,13 @@ limIsSmeScanReqValid(tpAniSirGlobal pMac, tpSirSmeScanReq pScanReq)
     tANI_U8 valid = true;
     tANI_U8 i = 0;
 
+    if (pScanReq->numSsid > SIR_SCAN_MAX_NUM_SSID)
+    {
+        valid = false;
+        limLog(pMac, LOGE, FL("Number of SSIDs > SIR_SCAN_MAX_NUM_SSID"));
+        goto end;
+    }
+
     for (i = 0; i < pScanReq->numSsid; i++)
     {
         if (pScanReq->ssId[i].length > SIR_MAC_MAX_SSID_LENGTH)
@@ -863,7 +870,7 @@ limIsSmeScanReqValid(tpAniSirGlobal pMac, tpSirSmeScanReq pScanReq)
             goto end;
         }
     }
-    if (pScanReq->bssType > eSIR_AUTO_MODE)
+    if ((pScanReq->bssType < 0) || (pScanReq->bssType > eSIR_AUTO_MODE))
     {
        limLog(pMac, LOGE, FL("Invalid BSS Type"));
        valid = false;
@@ -884,8 +891,6 @@ limIsSmeScanReqValid(tpAniSirGlobal pMac, tpSirSmeScanReq pScanReq)
         limLog(pMac, LOGE, FL("Number of Channels > SIR_MAX_NUM_CHANNELS"));
     }
 
-
-
     /*
     ** check min/max channelTime range
     **/