qcacld-3.0: Check the length of IE's before appending

Check the length of the IE's before appending them and storing them in the session in lim_process_update_add_ies. Change-Id: I70d26638a58998c82a8810d7c2181d1f24c56e19 CRs-Fixed: 2119729
author: Varun Reddy Yeturu <varunreddy.yeturu@codeaurora.org> 2017-10-02 11:52:37 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-10-06 12:13:54 -0700
commit: cb17c325374add74ca40e1edb3be22107e157750 (patch)
tree: 5b1089526bd3de9710eb8394b0d0a46d4c9731d3
parent: dd8dd999410a4c447567161129838c19180104ea (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
index e364bd7f3c44..159c9ddb9b90 100644
--- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
@@ -5794,8 +5794,18 @@ static void lim_process_update_add_ies(tpAniSirGlobal mac_ctx,
 		if (update_ie->append) {
 			/*
 			 * In case of append, allocate new memory
-			 * with combined length
+			 * with combined length.
+			 * Multiple back to back append commands
+			 * can lead to a huge length.So, check
+			 * for the validity of the length.
 			 */
+			if (addn_ie->probeRespDataLen >
+				(USHRT_MAX - update_ie->ieBufferlength)) {
+				pe_err("IE Length overflow, curr:%d, new:%d",
+					addn_ie->probeRespDataLen,
+					update_ie->ieBufferlength);
+				goto end;
+			}
 			new_length = update_ie->ieBufferlength +
 				addn_ie->probeRespDataLen;
 			new_ptr = qdf_mem_malloc(new_length);
author	Varun Reddy Yeturu <varunreddy.yeturu@codeaurora.org>	2017-10-02 11:52:37 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-10-06 12:13:54 -0700
commit	cb17c325374add74ca40e1edb3be22107e157750 (patch)
tree	5b1089526bd3de9710eb8394b0d0a46d4c9731d3
parent	dd8dd999410a4c447567161129838c19180104ea (diff)