From adb96af5b080dfe4ee29961a17ed3f04c87d5519 Mon Sep 17 00:00:00 2001 From: Srinivas Girigowda Date: Mon, 21 Aug 2017 16:56:01 -0700 Subject: [PATCH] qcacld-2.0: Add bound check before writing to channel list qcacld-3.0 to qcacld-2.0 propagation In function rrm_process_beacon_report_req, add bound check before writing to channel list which is of fixed size. Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf CRs-Fixed: 2060138 Bug: 64438727 Signed-off-by: Srinivas Girigowda --- drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c index 3fb65c45c2925..ddf22cd957db2 100644 --- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c +++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c @@ -628,14 +628,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac, pSmeBcnReportReq->channelList.numChannels = num_channels; if( pBeaconReq->measurement_request.Beacon.num_APChannelReport ) { - tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber; + tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber; + uint8_t len; + uint16_t ch_ctr = 0; for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ ) { - vos_mem_copy(pChanList, - pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList, - pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList); + len = pBeaconReq->measurement_request.Beacon. + APChannelReport[num_APChanReport].num_channelList; + if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber)) + break; + + vos_mem_copy(&ch_lst[ch_ctr], + pBeaconReq->measurement_request.Beacon. + APChannelReport[num_APChanReport].channelList, len); - pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList; + ch_ctr += len; } }