Merge "qcacld-3.0: Fix OOB read in sme_rrm_process_beacon_report_req_ind" into android-msm-bonito-4.9-pi-dr2-security-next

author: Kelly Rossmoyer <krossmo@google.com> 2019-05-09 01:55:47 +0000
committer: Android Partner Code Review <android-gerrit-partner@google.com> 2019-05-09 01:55:47 +0000
commit: 4f29a3befc4ef7bb7061e0a153df554597fc2d1b (patch)
tree: ccd26aa78e76ca733c753f1db46ff33a7dbfbce3
parent: e2150a1fcad3ca223ac5548756d0da2b8f9e1b5b (diff)
parent: 58c9b38dedf3837efce1f5f03693f5b1703bcc09 (diff)
download: qcacld-4f29a3befc4ef7bb7061e0a153df554597fc2d1b.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c
index 38b7560429..8e7cba1a4e 100644
--- a/core/sme/src/rrm/sme_rrm.c
+++ b/core/sme/src/rrm/sme_rrm.c
@@ -845,6 +845,14 @@ QDF_STATUS sme_rrm_process_beacon_report_req_ind(tpAniSirGlobal pMac,
 
 	sme_debug("Received Beacon report request ind Channel = %d",
 		pBeaconReq->channelInfo.channelNum);
+
+	if (pBeaconReq->channelList.numChannels >
+	    SIR_ESE_MAX_MEAS_IE_REQS) {
+		sme_err("Beacon report request numChannels:%u exceeds max num channels",
+			pBeaconReq->channelList.numChannels);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	/* section 11.10.8.1 (IEEE Std 802.11k-2008) */
 	/* channel 0 and 255 has special meaning. */
 	if ((pBeaconReq->channelInfo.channelNum == 0) ||
author	Kelly Rossmoyer <krossmo@google.com>	2019-05-09 01:55:47 +0000
committer	Android Partner Code Review <android-gerrit-partner@google.com>	2019-05-09 01:55:47 +0000
commit	4f29a3befc4ef7bb7061e0a153df554597fc2d1b (patch)
tree	ccd26aa78e76ca733c753f1db46ff33a7dbfbce3
parent	e2150a1fcad3ca223ac5548756d0da2b8f9e1b5b (diff)
parent	58c9b38dedf3837efce1f5f03693f5b1703bcc09 (diff)
download	qcacld-4f29a3befc4ef7bb7061e0a153df554597fc2d1b.tar.gz