Merge branch 'android-msm-barbet-4.19-sc-security' into android-msm-barbet-4.19-sc-qpr1
Jan 2022.1
Bug: 204278602
Change-Id: I6098535187114d6ca3657603efe33f00709f3162
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c
index 4dffca0..b11950a 100644
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@@ -2889,8 +2889,22 @@
tmpl_len = *(uint32_t *) &bcn_info->beacon[0];
else
tmpl_len = bcn_info->beaconLength;
- if (p2p_ie_len)
+
+ if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) {
+ wma_err("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len,
+ WMI_BEACON_TX_BUFFER_SIZE);
+ return -EINVAL;
+ }
+
+ if (p2p_ie_len) {
+ if (tmpl_len <= p2p_ie_len) {
+ wma_err("tmpl_len %d <= p2p_ie_len %d, Invalid",
+ tmpl_len, p2p_ie_len);
+ return -EINVAL;
+ }
tmpl_len -= (uint32_t) p2p_ie_len;
+ }
+
frm = bcn_info->beacon + bytes_to_strip;
tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32));
/*