From 0092b6736f8fe175e1337ba4ede07329c41c0eb2 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Wed, 23 May 2018 17:08:45 +0530 Subject: [PATCH] qcacld-3.0: Fix possible OOB write in wma_update_intf_hw_mode_params In the function wma_update_intf_hw_mode_params, vdev_id received from caller wma_pdev_set_hw_mode_resp_evt_handler, is used as the array index for wma->interfaces. If vdev_id exceeds wma->max_bssid then a possible OOB write could occur. Add check to validate vdev_id against wma->max_bssid. Print error if it exceeds. Change-Id: I3ddf5e1b24fbd2bd401ac879219300857d05e4b7 CRs-Fixed: 2243990 --- core/wma/src/wma_main.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/wma/src/wma_main.c b/core/wma/src/wma_main.c index 2115a6b57c..729d273269 100644 --- a/core/wma/src/wma_main.c +++ b/core/wma/src/wma_main.c @@ -3831,6 +3831,12 @@ static int wma_pdev_set_hw_mode_resp_evt_handler(void *handle, QDF_BUG(0); goto fail; } + if (vdev_id >= wma->max_bssid) { + WMA_LOGE("%s: vdev_id: %d is invalid, max_bssid: %d", + __func__, vdev_id, wma->max_bssid); + goto fail; + } + mac_id = WMA_PDEV_TO_MAC_MAP(vdev_mac_entry[i].pdev_id); WMA_LOGD("%s: vdev_id:%d mac_id:%d", @@ -3921,6 +3927,11 @@ void wma_process_pdev_hw_mode_trans_ind(void *handle, QDF_BUG(0); return; } + if (vdev_id >= wma->max_bssid) { + WMA_LOGE("%s: vdev_id: %d is invalid, max_bssid: %d", + __func__, vdev_id, wma->max_bssid); + return; + } mac_id = WMA_PDEV_TO_MAC_MAP(vdev_mac_entry[i].pdev_id);