qcacmn: Replace MAX_CHANNELS with NUM_CHANNELS in wifipos module

In wifipos component, channel info array is allocated for MAX_CHANNELS(255) and passed to the regulatory module which uses NUM_CHANNELS to fill the channels. NUM_CHANNELS can be more than 255. This may lead to an array out of boundary access. Use NUM_CHANNELS in wifipos component to allocate channel info array. also, add a boundary check on the number of channels received from the regulatory component. Change-Id: I5b7a7a4767d8bbb259c5631cf744e57ee3e1effb CRs-Fixed: 2938879
2021-05-05 12:11:54 +05:30
Commit 005e1f3dd7
--- a/umac/wifi_pos/inc/wifi_pos_utils_pub.h
+++ b/umac/wifi_pos/inc/wifi_pos_utils_pub.h
@@ -32,7 +32,6 @@
 #define OEM_TARGET_SIGNATURE_LEN   8
 #define OEM_TARGET_SIGNATURE       "QUALCOMM"

-#define MAX_CHANNELS               255
 #define OEM_CAP_MAX_NUM_CHANNELS   128

 #define WIFI_POS_RSP_V1_FLAT_MEMORY  0x00000001
@@ -98,7 +97,7 @@ struct wifi_pos_channel_power {
 */
 struct qdf_packed wifi_pos_channel_list {
 	uint16_t num_channels;
-	struct wifi_pos_channel_power chan_info[MAX_CHANNELS];
+	struct wifi_pos_channel_power chan_info[NUM_CHANNELS];
 };

 /**
--- a/umac/wifi_pos/src/wifi_pos_main.c
+++ b/umac/wifi_pos/src/wifi_pos_main.c
@@ -498,7 +498,7 @@ static void wifi_pos_pdev_iterator(struct wlan_objmgr_psoc *psoc,
 	wifi_pos_ch = &chan_list->chan_info[chan_list->num_channels];

 	ch_info = (struct channel_power *)qdf_mem_malloc(
-			sizeof(*ch_info) * MAX_CHANNELS);
+			sizeof(*ch_info) * NUM_CHANNELS);
 	if (!ch_info) {
 		wifi_pos_err("ch_info is null");
 		return;
@@ -513,6 +513,12 @@ static void wifi_pos_pdev_iterator(struct wlan_objmgr_psoc *psoc,
 		return;
 	}

+	if ((chan_list->num_channels + num_channels) > NUM_CHANNELS) {
+		wifi_pos_err("Invalid number of channels");
+		qdf_mem_free(ch_info);
+		return;
+	}
+
 	for (i = 0; i < num_channels; i++) {
 		wifi_pos_ch[i].ch_power.center_freq = ch_info[i].center_freq;
 		wifi_pos_ch[i].ch_power.chan_num = ch_info[i].chan_num;