diff options
author | Kelly Rossmoyer <krossmo@google.com> | 2019-05-09 01:55:47 +0000 |
---|---|---|
committer | Android Partner Code Review <android-gerrit-partner@google.com> | 2019-05-09 01:55:47 +0000 |
commit | 4f29a3befc4ef7bb7061e0a153df554597fc2d1b (patch) | |
tree | ccd26aa78e76ca733c753f1db46ff33a7dbfbce3 | |
parent | e2150a1fcad3ca223ac5548756d0da2b8f9e1b5b (diff) | |
parent | 58c9b38dedf3837efce1f5f03693f5b1703bcc09 (diff) | |
download | qcacld-4f29a3befc4ef7bb7061e0a153df554597fc2d1b.tar.gz |
Merge "qcacld-3.0: Fix OOB read in sme_rrm_process_beacon_report_req_ind" into android-msm-bonito-4.9-pi-dr2-security-next
-rw-r--r-- | core/sme/src/rrm/sme_rrm.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c index 38b7560429..8e7cba1a4e 100644 --- a/core/sme/src/rrm/sme_rrm.c +++ b/core/sme/src/rrm/sme_rrm.c @@ -845,6 +845,14 @@ QDF_STATUS sme_rrm_process_beacon_report_req_ind(tpAniSirGlobal pMac, sme_debug("Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum); + + if (pBeaconReq->channelList.numChannels > + SIR_ESE_MAX_MEAS_IE_REQS) { + sme_err("Beacon report request numChannels:%u exceeds max num channels", + pBeaconReq->channelList.numChannels); + return QDF_STATUS_E_INVAL; + } + /* section 11.10.8.1 (IEEE Std 802.11k-2008) */ /* channel 0 and 255 has special meaning. */ if ((pBeaconReq->channelInfo.channelNum == 0) || |