samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Validate session_id in __wlan_ipa_wlan_evt

Browse Source 
Session_id in __wlan_ipa_wlan_evt is used as an index
to access the array ipa_ctx->vdev_to_iface[].

Add sanity check for session_id to avoid invalid access.

Change-Id: Ie6079924c4772c3fa892b4537120db136a899885
CRs-Fixed: 2395162
This commit is contained in:
Rakshith Suresh Patkar
2019-02-08 16:17:27 +05:30
committed by nshrivas
parent 10ab5edfea
commit 107a659f57
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
components/ipa/core/src/wlan_ipa_core.c
View File

@@ -1497,6 +1497,9 @@ static QDF_STATUS __wlan_ipa_wlan_evt(qdf_netdev_t net_dev, uint8_t device_mode,
int i;
QDF_STATUS status;
uint8_t sta_session_id = WLAN_IPA_MAX_SESSION;
struct wlan_objmgr_pdev *pdev;
struct wlan_objmgr_psoc *psoc;
struct wlan_objmgr_vdev *vdev;
ipa_debug("%s: EVT: %d, MAC: %pM, sta_id: %d session_id: %u",
net_dev->name, type, mac_addr, sta_id, session_id);
@@ -1510,6 +1513,14 @@ static QDF_STATUS __wlan_ipa_wlan_evt(qdf_netdev_t net_dev, uint8_t device_mode,
return QDF_STATUS_SUCCESS;
}
pdev = ipa_ctx->pdev;
psoc = wlan_pdev_get_psoc(pdev);
vdev = wlan_objmgr_get_vdev_by_id_from_psoc(psoc, session_id,
WLAN_IPA_ID);
QDF_BUG((session_id < WLAN_IPA_MAX_SESSION) && vdev);
if (vdev)
wlan_objmgr_vdev_release_ref(vdev, WLAN_IPA_ID);
if (ipa_ctx->sta_connected) {
iface_ctx = wlan_ipa_get_iface(ipa_ctx, QDF_STA_MODE);
if (iface_ctx)