Merge "qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()"

author: Linux Build Service Account <lnxbuild@localhost> 2021-01-06 11:27:07 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2021-01-06 11:27:07 -0800
commit: d13f712297a8a752479ad1b0a52becb662af2247 (patch)
tree: c638fcfe3ba455d7d7b1d8f11860b241fdc2201f
parent: aeff453291edb96372a64f642b82a476cad392e2 (diff)
parent: d82d4b1fc7fabc2e720f29d461cdba8f1def4223 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c
index 00142a4a6f28..e600d1efd47b 100644
--- a/core/mac/src/pe/rrm/rrm_api.c
+++ b/core/mac/src/pe/rrm/rrm_api.c
@@ -747,12 +747,19 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac,
 	}
 
 	while (BcnNumIes > 0) {
-		len = *(pBcnIes + 1) + 2;       /* element id + length. */
+		len = *(pBcnIes + 1);
+		len += 2;       /* element id + length. */
 		pe_debug("EID = %d, len = %d total = %d",
 			*pBcnIes, *(pBcnIes + 1), len);
 
-		if (!len) {
-			pe_err("Invalid length");
+		if (BcnNumIes < len) {
+			pe_err("RRM: Invalid IE len:%d exp_len:%d",
+			       len, BcnNumIes);
+			break;
+		}
+
+		if (len <= 2) {
+			pe_err("RRM: Invalid IE");
 			break;
 		}
author	Linux Build Service Account <lnxbuild@localhost>	2021-01-06 11:27:07 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2021-01-06 11:27:07 -0800
commit	d13f712297a8a752479ad1b0a52becb662af2247 (patch)
tree	c638fcfe3ba455d7d7b1d8f11860b241fdc2201f
parent	aeff453291edb96372a64f642b82a476cad392e2 (diff)
parent	d82d4b1fc7fabc2e720f29d461cdba8f1def4223 (diff)