DivestOS/Patches/Linux_CVEs/CVE-2017-8241/ANY/0.patch

From 90213394b7efb28fa511b2eaebc1343ae3b54724 Mon Sep 17 00:00:00 2001
From: Sreelakshmi Konamki <skonam@codeaurora.org>
Date: Wed, 21 Sep 2016 15:17:42 +0530
Subject: qcacld-2.0: Update correct msg length in oemData_SendMBOemDataReq API

In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.

Fix is to update messageLen with size of struct.

Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175
---
 CORE/SME/src/oemData/oemDataApi.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c
index 3e42350..fc3f91c 100644
--- a/CORE/SME/src/oemData/oemDataApi.c
+++ b/CORE/SME/src/oemData/oemDataApi.c
@@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
 {
     eHalStatus status = eHAL_STATUS_SUCCESS;
     tSirOemDataReq* pMsg;
-    tANI_U16 msgLen;
     tCsrRoamSession *pSession;
 
     smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__);
@@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
         return eHAL_STATUS_FAILURE;
     }
 
-    msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len);
     pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ);
-    pMsg->messageLen = pal_cpu_to_be16(msgLen);
+    pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg));
     vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) );
     pMsg->data_len = pOemDataReq->data_len;
     /* Incoming buffer ptr saved, set to null to avoid free by caller */
-- 
cgit v1.1