diff options
author | Winnie Chen <winnie.chen@broadcom.corp-partner.google.com> | 2020-07-15 17:47:40 +0800 |
---|---|---|
committer | Ahmed ElArabawy <arabawy@google.com> | 2020-07-22 21:35:53 -0700 |
commit | 90bf6a6d3ee908a19697c679335c7c92882a87e3 (patch) | |
tree | 31350a1ef34cd6472fb79952780e0cd3c532df73 | |
parent | 71f7df79597d6580c62b3bf015314aed9c527493 (diff) | |
download | bcm43752-90bf6a6d3ee908a19697c679335c7c92882a87e3.tar.gz |
bcmdhd: out-of-boundary in wl_cfg80211_sched_scan_start
Initialize the size of tlv_data->value to prevent from illegal memory access.
There are 3 cases for tlv_data: ssid, channel, rssi.
And ssid is the max size.
BUG: 160760185
Test: Hikey960 + Android 11 + BCM43752PCIe
Signed-off-by: Winnie Chen <winnie.chen@broadcom.corp-partner.google.com>
Change-Id: Ib200c51c2db7d887ccdf53bfc252d190c304285f
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
-rwxr-xr-x | dhd_debug.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/dhd_debug.h b/dhd_debug.h index b0d1128..c7a1717 100755 --- a/dhd_debug.h +++ b/dhd_debug.h @@ -249,7 +249,7 @@ typedef enum { typedef struct { uint16 tag; uint16 len; /* length of value */ - uint8 value[0]; + uint8 value[DOT11_MAX_SSID_LEN]; } tlv_log; typedef struct per_packet_status_entry { |