Invalid indexing for tb_vendor

While getting sta info handler, tb_vendor was parsed with invalid length value NL80211_ATTR_MAX_INTERNAL. This can lead to buffer overflow. Corrected the length to GET_STATION_INFO_MAX. Change-Id: Ida1091e1d805cdb31452174010cc39d568f5e101 CRs-Fixed: 2875794
author: Khanjan Desai <khanjan@codeaurora.org> 2021-02-15 19:55:48 +0530
committer: Khanjan Desai <khanjan@codeaurora.org> 2021-02-15 19:57:13 +0530
commit: 711dfb7771da1366b40aa60b5a89580561cf01b1 (patch)
tree: 5f708f8275d3982accf2a75f634c8a04e6777527
parent: 2777b3a69a7517627e04c5873c496e974a3717c7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
index c2db662..92f18c0 100644
--- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
+++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
@@ -1307,7 +1307,7 @@ static int get_sta_info_handler(struct nl_msg *msg, void *arg)
 	vendor_data = nla_data(tb[NL80211_ATTR_VENDOR_DATA]);
 	vendor_len = nla_len(tb[NL80211_ATTR_VENDOR_DATA]);
 
-	if (nla_parse(tb_vendor, NL80211_ATTR_MAX_INTERNAL,
+	if (nla_parse(tb_vendor, GET_STA_INFO_MAX,
 		      vendor_data, vendor_len, NULL)) {
 		wpa_printf(MSG_ERROR,"NL80211_ATTR_VENDOR_DATA parse error");
 		return -1;
author	Khanjan Desai <khanjan@codeaurora.org>	2021-02-15 19:55:48 +0530
committer	Khanjan Desai <khanjan@codeaurora.org>	2021-02-15 19:57:13 +0530
commit	711dfb7771da1366b40aa60b5a89580561cf01b1 (patch)
tree	5f708f8275d3982accf2a75f634c8a04e6777527
parent	2777b3a69a7517627e04c5873c496e974a3717c7 (diff)