qcacld-3.0: Fix OOB in wma_scan_roam.c

Currently in wma_extscan_hotlist_match_event_handler API, dest_hotlist get memory allocation based on numap which takes value from event->total_entries. But numap is limited to WMA_EXTSCAN_MAX_HOTLIST_ENTRIES and event->total_entries more than WMA_EXTSCAN_MAX_HOTLIST_ENTRIES can cause out of bound issue. Fix is to populate dest_hotlist->numOfAps from numap instead of event->total_entries to avoid any out of bound issue. Bug: 251051975 Test: Regression Test Change-Id: I756f7e4a4dcd454508bba83d4a8bbbb139530905 CRs-Fixed: 3346781 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
author: Hsiu-Chang Chen <hsiuchangchen@google.com> 2022-11-29 22:48:35 -0800
committer: Hsiu-Chang Chen <hsiuchangchen@google.com> 2023-03-19 16:07:07 +0800
commit: 624454a8800671bf1ced0d14a450eba18fbb000e (patch)
tree: b9c31f019868a1b99e042661ae0909f5546cab05
parent: b81914402ed2b5913e89167eb5ac9359dcb8ce4b (diff)
download: wlan-624454a8800671bf1ced0d14a450eba18fbb000e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/qcacld-3.0/core/wma/src/wma_scan_roam.c b/qcacld-3.0/core/wma/src/wma_scan_roam.c
index 548ad52..9b0fd2f 100644
--- a/qcacld-3.0/core/wma/src/wma_scan_roam.c
+++ b/qcacld-3.0/core/wma/src/wma_scan_roam.c
@@ -1583,7 +1583,7 @@ int wma_extscan_hotlist_match_event_handler(void *handle,
 		return -ENOMEM;
 
 	dest_ap = &dest_hotlist->ap[0];
-	dest_hotlist->numOfAps = event->total_entries;
+	dest_hotlist->numOfAps = numap;
 	dest_hotlist->requestId = event->config_request_id;
 
 	if (event->first_entry_index +
author	Hsiu-Chang Chen <hsiuchangchen@google.com>	2022-11-29 22:48:35 -0800
committer	Hsiu-Chang Chen <hsiuchangchen@google.com>	2023-03-19 16:07:07 +0800
commit	624454a8800671bf1ced0d14a450eba18fbb000e (patch)
tree	b9c31f019868a1b99e042661ae0909f5546cab05
parent	b81914402ed2b5913e89167eb5ac9359dcb8ce4b (diff)
download	wlan-624454a8800671bf1ced0d14a450eba18fbb000e.tar.gz