[RAMEN9610-21543]wlbt: Fix for buffer overflow in slsi_add_to_scan_list

Changes are done to address buffer overflow in
slsi_add_to_scan_list.

SCSC-Bug-Id: HOST-12608
Signed-off-by: Sushant Butta <b.sushant@samsung.com>
Change-Id: Ic938f40bbc2570f5565e2e596a732e1de93c8094
Signed-off-by: Youngsoo Kim <youngss.kim@samsung.com>

diff --git a/drivers/net/wireless/scsc/rx.c b/drivers/net/wireless/scsc/rx.c
index bd9d20feae18ddf490f8fe62d6d04697c23abe05..3a72a56ea2249fc7ea35b7c82c84cd6d8c82575e 100755 (executable)
--- a/drivers/net/wireless/scsc/rx.c
+++ b/drivers/net/wireless/scsc/rx.c
@@ -339,7 +339,15 @@ void slsi_rx_scan_ind(struct slsi_dev *sdev, struct net_device *dev, struct sk_b
 #endif
 
        scan_ssid = cfg80211_find_ie(WLAN_EID_SSID, mgmt->u.probe_resp.variable, ie_len);
+
+       if (scan_ssid && scan_ssid[1] && scan_ssid[1] > IEEE80211_MAX_SSID_LEN) {
+               SLSI_NET_ERR(dev, "Dropping scan result due to unexpected ssid length(%d)\n", scan_ssid[1]);
+               slsi_kfree_skb(skb);
+               return;
+       }
+
        if (scan_ssid && scan_ssid[1] && ((ie_len - (scan_ssid - mgmt->u.probe_resp.variable) + 2) < scan_ssid[1])) {
+               SLSI_NET_ERR(dev, "Dropping scan result due to skb data is less than ssid len(%d)\n", scan_ssid[1]);
                slsi_kfree_skb(skb);
                return;
        }

diff --git a/include/scsc/scsc_release.h b/include/scsc/scsc_release.h
index 10212ca2b1e54612689a0f7ccd1561187cb1fac2..bbe0901b51eb77664d1ddc582f6ceb867adebf70 100644 (file)
--- a/include/scsc/scsc_release.h
+++ b/include/scsc/scsc_release.h
@@ -23,7 +23,7 @@
 #define SCSC_RELEASE_ITERATION 17
 #define SCSC_RELEASE_CANDIDATE 1
 
-#define SCSC_RELEASE_POINT 0
+#define SCSC_RELEASE_POINT 1
 
 #endif