qcacld-3.0: Fix OOB read in sme_rrm_process_beacon_report_req_ind

When beacon report request action frame is received,
rrm_process_beacon_report_req() is called and num_channels value
is calculated from the action frame directly from user. This
value is assigned to pSmeBcnReportReq->channelList.numChannels
and this num channels value along with the channel list is
posted to sme for further processing. The sme function
sme_rrm_process_beacon_report_req_ind() processes this sme
message eWNI_SME_BEACON_REPORT_REQ_IND. In this function,
the channels in channel list are looped through the received
value pBeaconReq->channelList.numChannels and is copied to the
destination pSmeRrmContext->channelList array from the
pBeaconReq->channelList.channelNumber[] array.
The maximum possible number of channels in channel list
BeaconReq->channelList.channelNumber[] allocated statically
in the definition of tSirChannelList is
SIR_ESE_MAX_MEAS_IE_REQS (8).
So when the pBeaconReq->channelList.numChannels, possible OOB
read occurs.

Validate the value of pBeaconReq->channelList.numChannels
received from the action frame against the maximum supported
number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8).
Place this validation inside the function
sme_rrm_process_beacon_report_req_ind() instead of validating it
at rrm_process_beacon_report_req() so that it defends from other
caller sme_set_ese_beacon_request() which is from user space
command through IOCTL.

Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3
CRs-Fixed: 2335974

0 files changed, 0 insertions, 0 deletions