qcacld-3.0: Fix PRE_CAC_SSID check bounds check

If the ssid_len was greater than the PRE_CAC_SSID string, memcmp would do an out of bounds memory read. Fix by adding a length check. Change-Id: I0d72cfdb2faea74db06640df7418f2a7aecd9afb CRs-Fixed: 2098988
2017-08-24 16:59:35 -07:00 · 2017-08-24 16:59:35 -07:00 · 1942caece7
commit 1942caece7
parent b10ec496b6
1 changed files with 2 additions and 1 deletions
--- a/core/hdd/src/wlan_hdd_hostapd.c
+++ b/core/hdd/src/wlan_hdd_hostapd.c
@ -8196,7 +8196,8 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *pHostapdAdapter,
 		}
 	}
 	if (!hdd_ctx->config->force_sap_acs &&
-	    !(ssid && (0 == qdf_mem_cmp(ssid, PRE_CAC_SSID, ssid_len)))) {
+	    !(ssid && qdf_str_len(PRE_CAC_SSID) == ssid_len &&
+	      (0 == qdf_mem_cmp(ssid, PRE_CAC_SSID, ssid_len)))) {
 		pIe = wlan_get_ie_ptr_from_eid(WLAN_EID_SUPP_RATES,
 					&pMgmt_frame->u.beacon.variable[0],
 					pBeacon->head_len);