Merge branch 'android-msm-pixel-4.14-sc-security' into android-msm-pixel-4.14-sc-qpr1android-12.0.0_r0.39 android-12.0.0_r0.38 android-12.0.0_r0.33 android-12.0.0_r0.32 android-msm-sunfish-4.14-android12-qpr1 android-msm-coral-4.14-android12-qpr1

Jan 2022.1 Bug: 204278308 Change-Id: Ia466ab0112c6ccea9d8f3725dc027312a8a3edfc
author: Eva Huang <evahuang@google.com> 2021-11-24 16:17:30 +0800
committer: Eva Huang <evahuang@google.com> 2021-11-24 16:17:30 +0800
commit: e30fcb9c380a70b2a9f2d8935587e03c9dbc6122 (patch)
tree: 3eb735b5f6b103762f8ecd164c51158fa84bc14b
parent: c8c03696433e432beeb33184454cfb11bd34a306 (diff)
parent: 077d56ad1a8bf834ee45315d1793d8717b59cff5 (diff)
download: qcacld-e30fcb9c380a70b2a9f2d8935587e03c9dbc6122.tar.gz
1 files changed, 15 insertions, 1 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c
index 19d583901d..b08ec50bba 100644
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@@ -2655,8 +2655,22 @@ static QDF_STATUS wma_unified_bcn_tmpl_send(tp_wma_handle wma,
 		tmpl_len = *(uint32_t *) &bcn_info->beacon[0];
 	else
 		tmpl_len = bcn_info->beaconLength;
-	if (p2p_ie_len)
+
+	if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) {
+		wma_err("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len,
+			WMI_BEACON_TX_BUFFER_SIZE);
+		return -EINVAL;
+	}
+
+	if (p2p_ie_len) {
+		if (tmpl_len <= p2p_ie_len) {
+			wma_err("tmpl_len %d <= p2p_ie_len %d, Invalid",
+				tmpl_len, p2p_ie_len);
+			return -EINVAL;
+		}
 		tmpl_len -= (uint32_t) p2p_ie_len;
+	}
+
 	frm = bcn_info->beacon + bytes_to_strip;
 	tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32));
 	/*
author	Eva Huang <evahuang@google.com>	2021-11-24 16:17:30 +0800
committer	Eva Huang <evahuang@google.com>	2021-11-24 16:17:30 +0800
commit	e30fcb9c380a70b2a9f2d8935587e03c9dbc6122 (patch)
tree	3eb735b5f6b103762f8ecd164c51158fa84bc14b
parent	c8c03696433e432beeb33184454cfb11bd34a306 (diff)
parent	077d56ad1a8bf834ee45315d1793d8717b59cff5 (diff)
download	qcacld-e30fcb9c380a70b2a9f2d8935587e03c9dbc6122.tar.gz