From 3df06ed450b34659ae4761ba466f3729a39b110b Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Tue, 5 Mar 2019 12:06:33 +0530 Subject: qcacld-3.0: Fix Integer overflow while sending beacon report sme_ese_send_beacon_req_scan_results sends number of bss description present in beacon report through bcn_report->numBss. For each iteration driver could send max 4 BSS. In case if driver has to send beacon report for more than 4 BSS, It sends 4 BSS per iteration. Once first four results are sent and bcn_report->numBss is not set to 0, in next iteration bcn_report->numBss++ start from 4 instead of 0. This Result in sending value more than 4 instead of 4 for next rest BSS and leads to Integer overflow for bcn_report->numBss. Driver should memset beacon_rep buffer for each iteration in order to prevent Integer overflow of bcn_report->numBss. By this driver could send fresh beacon report (independent of previous beacon report) in each iteration. Fix is to memset beacon_rep buffer to zero after sending beacon report in each iteration in sme_ese_send_beacon_req_scan_results. Change-Id: I0d07e54ec7f05e8eef388f9958fad597dc49873e CRs-Fixed: 2408834 --- core/sme/src/rrm/sme_rrm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c index 34b672f080a5..c36335471447 100644 --- a/core/sme/src/rrm/sme_rrm.c +++ b/core/sme/src/rrm/sme_rrm.c @@ -296,9 +296,11 @@ static QDF_STATUS sme_ese_send_beacon_req_scan_results( if (result_arr) cur_result = result_arr[bss_counter]; - qdf_mem_zero(&bcn_rpt_rsp, sizeof(tSirEseBcnReportRsp)); do { cur_meas_req = NULL; + /* memset bcn_rpt_rsp for each iteration */ + qdf_mem_zero(&bcn_rpt_rsp, sizeof(bcn_rpt_rsp)); + for (i = 0; i < rrm_ctx->eseBcnReqInfo.numBcnReqIe; i++) { if (rrm_ctx->eseBcnReqInfo.bcnReq[i].channel == channel) { @@ -357,9 +359,9 @@ static QDF_STATUS sme_ese_send_beacon_req_scan_results( bcn_report->numBss++; if (++j >= SIR_BCN_REPORT_MAX_BSS_DESC) break; - if (j >= bss_count) + if ((bss_counter + j) >= bss_count) break; - cur_result = result_arr[j]; + cur_result = result_arr[bss_counter + j]; } bss_counter += j; -- cgit v1.2.3