From: Sushant Butta <b.sushant@samsung.com>
Date: Wed, 15 Apr 2020 15:58:54 +0000 (+0530)
Subject: [RAMEN9610-21543]wlbt: Fix for buffer overflow in slsi_add_to_scan_list
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=885d85ebd2b11f1ca3c955df98b880ae2b391d75;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

[RAMEN9610-21543]wlbt: Fix for buffer overflow in slsi_add_to_scan_list

Changes are done to address buffer overflow in
slsi_add_to_scan_list.

SCSC-Bug-Id: HOST-12608
Signed-off-by: Sushant Butta <b.sushant@samsung.com>
Change-Id: Ic938f40bbc2570f5565e2e596a732e1de93c8094
Signed-off-by: Youngsoo Kim <youngss.kim@samsung.com>
---

diff --git a/drivers/net/wireless/scsc/rx.c b/drivers/net/wireless/scsc/rx.c
index bd9d20feae18..3a72a56ea224 100755
--- a/drivers/net/wireless/scsc/rx.c
+++ b/drivers/net/wireless/scsc/rx.c
@@ -339,7 +339,15 @@ void slsi_rx_scan_ind(struct slsi_dev *sdev, struct net_device *dev, struct sk_b
 #endif
 
 	scan_ssid = cfg80211_find_ie(WLAN_EID_SSID, mgmt->u.probe_resp.variable, ie_len);
+
+	if (scan_ssid && scan_ssid[1] && scan_ssid[1] > IEEE80211_MAX_SSID_LEN) {
+		SLSI_NET_ERR(dev, "Dropping scan result due to unexpected ssid length(%d)\n", scan_ssid[1]);
+		slsi_kfree_skb(skb);
+		return;
+	}
+
 	if (scan_ssid && scan_ssid[1] && ((ie_len - (scan_ssid - mgmt->u.probe_resp.variable) + 2) < scan_ssid[1])) {
+		SLSI_NET_ERR(dev, "Dropping scan result due to skb data is less than ssid len(%d)\n", scan_ssid[1]);
 		slsi_kfree_skb(skb);
 		return;
 	}
diff --git a/include/scsc/scsc_release.h b/include/scsc/scsc_release.h
index 10212ca2b1e5..bbe0901b51eb 100644
--- a/include/scsc/scsc_release.h
+++ b/include/scsc/scsc_release.h
@@ -23,7 +23,7 @@
 #define SCSC_RELEASE_ITERATION 17
 #define SCSC_RELEASE_CANDIDATE 1
 
-#define SCSC_RELEASE_POINT 0
+#define SCSC_RELEASE_POINT 1
 
 #endif