qcacld-3.0: Possible buff overflow in sir_convert_assoc_resp_frame2_struct

After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo, which results to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).

Pass correct length to qdf_mem_copy while coping TSPECInfo.

Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946

0 files changed, 0 insertions, 0 deletions