qcacld-3.0: Fix OOB write in lim_populate_peer_rate_set

To poiulate peer rates (Supproted rates, HT & VHT Capabilities) lim_populate_peer_rate_set first copy values of psessionEntry->rateSet.rate in a local buffer tempRateSet for sorting of rates. Currently while copying, index for psessionEntry->rateSet.rate bufffer varies from 0 to max rate allowed SIR_MAC_RATESET_EID_MAX(12). This results access of 13th index(OOB) of psessionEntry->rateSet.rate buffer. The fix is to set proper upper bound to copy values of psessionEntry->rateSet.rate in to a local buffer tempRateSet. Change-Id: I75d5f5b5e7d44665101dae6e095b4adadc1781fb CRs-Fixed: 2268610
author: Abhinav Kumar <abhikuma@codeaurora.org> 2018-06-27 11:26:53 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-07-02 11:20:07 -0700
commit: 231972bcce3e63fccbd685632dec138f4c2c1f48 (patch)
tree: 2e4aef0f9f19c67aab785b83dec84cf2510ea9fb /core/mac/src
parent: a79ade12a7fd05974d28e4e95f4665ce40db9fb7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/core/mac/src/pe/lim/lim_assoc_utils.c b/core/mac/src/pe/lim/lim_assoc_utils.c
index 5b62911dc988..4aabe564137e 100644
--- a/core/mac/src/pe/lim/lim_assoc_utils.c
+++ b/core/mac/src/pe/lim/lim_assoc_utils.c
@@ -1685,7 +1685,7 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac,
 		}
 	} else
 		tempRateSet2.numRates = 0;
-	if ((tempRateSet.numRates + tempRateSet2.numRates) >
+	if ((tempRateSet.numRates + tempRateSet2.numRates) >=
 	    SIR_MAC_RATESET_EID_MAX) {
 		pe_err("more than 12 rates in CFG");
 		return eSIR_FAILURE;
author	Abhinav Kumar <abhikuma@codeaurora.org>	2018-06-27 11:26:53 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-07-02 11:20:07 -0700
commit	231972bcce3e63fccbd685632dec138f4c2c1f48 (patch)
tree	2e4aef0f9f19c67aab785b83dec84cf2510ea9fb /core/mac/src
parent	a79ade12a7fd05974d28e4e95f4665ce40db9fb7 (diff)