소스 검색

qcacld-3.0: Add vdev_id sanity check in wma_vdev_stop_resp_handler

In function wma_vdev_stop_resp_handler, resp_event->vdev_id is
received from the FW and is used to access the interfaces array in
wma_handle. This could lead to OOB read/write if the vdev_id
received from the FW is greater than or equal to max_bssid.

Add check to return failure if resp_event->vdev_id is greater than
or equal to max_bssid in wma_vdev_stop_resp_handler

Change-Id: I1af5312e6c45db3b9ba03fbf45de3d3c2a7fab20
CRs-Fixed: 2185477
Vignesh Viswanathan 7 년 전
부모
커밋
08ad8a0a34
1개의 변경된 파일8개의 추가작업 그리고 7개의 파일을 삭제
  1. 8 7
      core/wma/src/wma_dev_if.c

+ 8 - 7
core/wma/src/wma_dev_if.c

@@ -1945,6 +1945,13 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info,
 	}
 
 	resp_event = param_buf->fixed_param;
+
+	if (resp_event->vdev_id >= wma->max_bssid) {
+		WMA_LOGE("%s: Invalid vdev_id %d from FW",
+				__func__, resp_event->vdev_id);
+		return -EINVAL;
+	}
+
 	iface = &wma->interfaces[resp_event->vdev_id];
 	wma_release_wakelock(&iface->vdev_stop_wakelock);
 
@@ -1956,8 +1963,7 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info,
 		return -EINVAL;
 	}
 
-	if ((resp_event->vdev_id < wma->max_bssid) &&
-	    (qdf_atomic_read
+	if ((qdf_atomic_read
 		     (&wma->interfaces[resp_event->vdev_id].vdev_restart_params.
 		     hidden_ssid_restart_in_progress))
 	    && ((wma->interfaces[resp_event->vdev_id].type == WMI_VDEV_TYPE_AP)
@@ -1996,11 +2002,6 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info,
 		tpDeleteBssParams params =
 			(tpDeleteBssParams) req_msg->user_data;
 
-		if (resp_event->vdev_id >= wma->max_bssid) {
-			WMA_LOGE("%s: Invalid vdev_id %d", __func__,
-				 resp_event->vdev_id);
-		}
-
 		if (iface->handle == NULL) {
 			WMA_LOGE("%s vdev id %d is already deleted",
 				 __func__, resp_event->vdev_id);