qcacld-3.0: Validate number of requested EIDs in beacon request
If the requested info field in beacon report request is present,
the driver tries to allocate memory for the target beacon report
EIDs from the number of requested EIDs received from the frame.
In SLUB disabled builds, the qdf_mem_malloc function doesn't
validate if the size provided is 0 and returns the value
ZERO_SIZE_PTR(((void *)16)) for the pointer. When this pointer
is dereferenced, it causes invalid address dereference.
Since the number of requested EIDs is directly controlled by the
frame sent by AP, validate this value before using it to allocate
memory.
Bug: 144843138
Change-Id: Icbac3e952de0d7ae3144e9b319f2c51ccdf93ac5
CRs-Fixed: 2571480
Signed-off-by: Sunil Ravi <sunilravi@google.com>
1 file changed
