qcacld/tlshim: Fix for Data Abort in storing Beacon data

In tlshim_mgmt_rx_process() we are storing the last Beacon and
Probe Response for Roaming purpose.

Data Pointer passed in tlshim_mgmt_rx_process() has only TLV
Header and data length passed is having complete wmi buffer
length.

So Data Pointer is allocated only for TLV Size and any access
of memory exceeding this size may result in Data Abort if the
memory falls in un mapped region.

So fix it by copying onlt TLV size.

Change-Id: I57bbb6506adabb9a950f4a2a20080d94592d969c
CRs-Fixed: 677238

1 files changed, 3 insertions, 3 deletions

diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c
index 828c9f448b49..b597a8f6640e 100644
--- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c
+++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c
@@ -552,11 +552,11 @@ static int tlshim_mgmt_rx_process(void *context, u_int8_t *data,
                 tl_shim->last_beacon_data = NULL;
 		tl_shim->last_beacon_len = 0;
 	    }
-	    if((tl_shim->last_beacon_data = vos_mem_malloc(data_len))) {
+	    if((tl_shim->last_beacon_data = vos_mem_malloc(sizeof(WMI_MGMT_RX_EVENTID_param_tlvs)))) {
 		u_int32_t buf_len = roundup(hdr->buf_len, sizeof(u_int32_t));
 
-		vos_mem_copy(tl_shim->last_beacon_data, data, data_len);
-		tl_shim->last_beacon_len = data_len;
+		vos_mem_copy(tl_shim->last_beacon_data, data, sizeof(WMI_MGMT_RX_EVENTID_param_tlvs));
+		tl_shim->last_beacon_len = sizeof(WMI_MGMT_RX_EVENTID_param_tlvs);
 		last_tlvs = (WMI_MGMT_RX_EVENTID_param_tlvs *) tl_shim->last_beacon_data;
 		if ((last_tlvs->hdr = vos_mem_malloc(sizeof(wmi_mgmt_rx_hdr)))) {
 		    vos_mem_copy(last_tlvs->hdr, hdr, sizeof(wmi_mgmt_rx_hdr));