DivestOS/Patches/Linux_CVEs/CVE-2017-8241/qcacld-2.0/0001.patch
2017-11-07 18:55:10 -05:00

43 lines
1.7 KiB
Diff

From 90213394b7efb28fa511b2eaebc1343ae3b54724 Mon Sep 17 00:00:00 2001
From: Sreelakshmi Konamki <skonam@codeaurora.org>
Date: Wed, 21 Sep 2016 15:17:42 +0530
Subject: qcacld-2.0: Update correct msg length in oemData_SendMBOemDataReq API
In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.
Fix is to update messageLen with size of struct.
Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175
---
CORE/SME/src/oemData/oemDataApi.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/CORE/SME/src/oemData/oemDataApi.c b/CORE/SME/src/oemData/oemDataApi.c
index 3e42350..fc3f91c 100644
--- a/CORE/SME/src/oemData/oemDataApi.c
+++ b/CORE/SME/src/oemData/oemDataApi.c
@@ -208,7 +208,6 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
{
eHalStatus status = eHAL_STATUS_SUCCESS;
tSirOemDataReq* pMsg;
- tANI_U16 msgLen;
tCsrRoamSession *pSession;
smsLog(pMac, LOGW, "OEM_DATA: entering Function %s", __func__);
@@ -225,9 +224,8 @@ eHalStatus oemData_SendMBOemDataReq(tpAniSirGlobal pMac, tOemDataReq *pOemDataRe
return eHAL_STATUS_FAILURE;
}
- msgLen = (uint16_t) (sizeof(*pMsg) + pOemDataReq->data_len);
pMsg->messageType = pal_cpu_to_be16((tANI_U16)eWNI_SME_OEM_DATA_REQ);
- pMsg->messageLen = pal_cpu_to_be16(msgLen);
+ pMsg->messageLen = pal_cpu_to_be16((uint16_t) sizeof(*pMsg));
vos_mem_copy(pMsg->selfMacAddr, pSession->selfMacAddr, sizeof(tSirMacAddr) );
pMsg->data_len = pOemDataReq->data_len;
/* Incoming buffer ptr saved, set to null to avoid free by caller */
--
cgit v1.1