qcacmn: Fix OOB issue
Changes to fix OOB issue seen util_scan_parse_beacon_frame.
Bug: 323926776
Test: Regression Test
Change-Id: I53244be54d31e87b55d0b44ce94315c8001f417d
CRs-Fixed: 3582496
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
index d8d688e..34e4f5e 100644
--- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
+++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
@@ -146,6 +146,9 @@
/* Max channel switch time IE length */
#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4
+#define WLAN_MIN_HECAP_IE_LEN 22
+#define WLAN_MAX_HECAP_IE_LEN 55
+
/* HT capability flags */
#define WLAN_HTCAP_C_ADVCODING 0x0001
#define WLAN_HTCAP_C_CHWIDTH40 0x0002
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 655af7c..62e8e00 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -433,6 +433,9 @@
scan_params->ie_list.srp = (uint8_t *)ie;
break;
case WLAN_EXTN_ELEMID_HECAP:
+ if ((extn_ie->ie_len < WLAN_MIN_HECAP_IE_LEN) ||
+ (extn_ie->ie_len > WLAN_MAX_HECAP_IE_LEN))
+ return QDF_STATUS_E_INVAL;
scan_params->ie_list.hecap = (uint8_t *)ie;
break;
case WLAN_EXTN_ELEMID_HEOP:
