diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2019-03-05 12:06:33 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2020-12-15 20:40:26 -0800 |
| commit | 6f86e6f839135c48578f61f0ec5f9a375461cfb8 (patch) | |
| tree | 7a095b4e84575868496f925c81fcedcc31ae5cb9 /lib/cpu-notifier-error-inject.c | |
| parent | 75fa086a05b5c74f076f36221ab84f50e43f78c3 (diff) | |
qcacld-3.0: Fix Integer overflow while sending beacon report
sme_ese_send_beacon_req_scan_results sends number of bss description
present in beacon report through bcn_report->numBss. For each
iteration driver could send max 4 BSS. In case if driver has to send
beacon report for more than 4 BSS, It sends 4 BSS per iteration. Once
first four results are sent and bcn_report->numBss is not set to 0,
in next iteration bcn_report->numBss++ start from 4 instead of 0.
This Result in sending value more than 4 instead of 4 for next rest
BSS and leads to Integer overflow for bcn_report->numBss.
Driver should memset beacon_rep buffer for each iteration in order to
prevent Integer overflow of bcn_report->numBss. By this driver
could send fresh beacon report (independent of previous beacon report)
in each iteration.
Fix is to memset beacon_rep buffer to zero after sending beacon
report in each iteration in sme_ese_send_beacon_req_scan_results.
Change-Id: I0d07e54ec7f05e8eef388f9958fad597dc49873e
CRs-Fixed: 2408834
Diffstat (limited to 'lib/cpu-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions