From 99c00329bc13c526305dc826950c2cc117e6725d Mon Sep 17 00:00:00 2001 From: yeshwanth sriram guntuka Date: Mon, 3 Jul 2017 11:44:31 +0530 Subject: qcacld-2.0: Fix kernel memory corruption Buffer overflow in ConvertQosMapsetFrame function when num_dscp_exceptions value is less than 16. Fix is to return from function if num_dscp_exceptions is less than 16. Change-Id: I2fcce60b7fe5e988348cee786e9a4d493d9512fe CRs-Fixed: 2061544 --- CORE/SYS/legacy/src/utils/src/utilsParser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CORE/SYS/legacy/src/utils/src/utilsParser.c b/CORE/SYS/legacy/src/utils/src/utilsParser.c index 6c99939..e64ce33 100644 --- a/CORE/SYS/legacy/src/utils/src/utilsParser.c +++ b/CORE/SYS/legacy/src/utils/src/utilsParser.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -706,6 +706,8 @@ void ConvertQosMapsetFrame(tpAniSirGlobal pMac, tSirQosMapSet* Qos, tDot11fIEQos tANI_U8 i,j=0; if (dot11fIE->num_dscp_exceptions > 58) dot11fIE->num_dscp_exceptions = 58; + if (dot11fIE->num_dscp_exceptions < 16) + return; Qos->num_dscp_exceptions = (dot11fIE->num_dscp_exceptions - 16)/2; for (i = 0; i < Qos->num_dscp_exceptions; i++) { -- cgit v1.1