Halaman utama Jelajahi Bantuan
Masuk
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

qcacmn: Add array out of bound access checks

- Add NULL check of the pointer "afc_req" in the function
reg_get_partial_afc_req_info() before it is dereferencedi to avoid
NULL pointer derefernce.

- Add array size check in the reg_compute_chan_to_freq_for_chlist()
API to avoid the array out of bound access to "chan_list" array.

- Make use of the function reg_is_supp_pwr_mode_invalid() which
does the boundary check for the arrays chan_info->state_arr[] and
chan_info->chan_flags_arr[] to avoid out of bound array access.

- Add a check in the reg_freq_to_chan_for_chlist() API to avoid chan_list[]
array out of bound access.

Change-Id: Ifcade9e971a77f483d5c5138206eab47454f28ad
CRs-Fixed: 3184214
Vignesh U 3 tahun lalu
induk
9a7fa82e8f
melakukan
1fe27938f7
2 mengubah file dengan 23 tambahan dan 1 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 4 1
      umac/regulatory/core/src/reg_build_chan_list.c
  2. 19 0
      umac/regulatory/core/src/reg_services_common.c

+ 4 - 1
umac/regulatory/core/src/reg_build_chan_list.c
Tampilan Berkas 

@@ -3558,7 +3558,10 @@ static void reg_disable_sp_entries_in_supr_chan_entry(
 
 	uint8_t num_sp_lists = QDF_ARRAY_SIZE(list_of_sp_lists);
 
 
 	for (j = 0; j < num_sp_lists; j++) {
 
-		uint8_t idx = list_of_sp_lists[j];
 
+		enum supported_6g_pwr_types  idx = list_of_sp_lists[j];
 
+
 
+		if (reg_is_supp_pwr_mode_invalid(idx))
 
+			continue;
 
 
 		reg_dis_chan_state_and_flags(&chan_info->state_arr[idx],
 
 					     &chan_info->chan_flags_arr[idx]);

+ 19 - 0
umac/regulatory/core/src/reg_services_common.c
Tampilan Berkas 

@@ -1488,6 +1488,11 @@ reg_freq_to_chan_for_chlist(struct regulatory_channel *chan_list,
 
 {
 
 	uint32_t count;
 
 
+	if (num_chans == INVALID_CHANNEL) {
 
+		reg_err_rl("invalid num_chans");
 
+		return 0;
 
+	}
 
+
 
 	for (count = 0; count < num_chans; count++) {
 
 		if (chan_list[count].center_freq >= freq)
 
 			break;
 
@@ -1571,6 +1576,14 @@ reg_compute_chan_to_freq_for_chlist(struct regulatory_channel *chan_list,
 
 {
 
 	uint16_t count;
 
 
+	if (min_chan_range == INVALID_CHANNEL ||
 
+	    max_chan_range == INVALID_CHANNEL) {
 
+		reg_debug_rl("Invalid channel range: min_chan_range: 0x%X max_chan_range: 0x%X",
 
+			     min_chan_range,
 
+			     max_chan_range);
 
+		return 0;
 
+	}
 
+
 
 	for (count = min_chan_range; count <= max_chan_range; count++) {
 
 		if ((chan_list[count].state != CHANNEL_STATE_DISABLE) &&
 
 		    !(chan_list[count].chan_flags & REGULATORY_CHAN_DISABLED)) {
 
@@ -7134,6 +7147,12 @@ reg_get_partial_afc_req_info(struct wlan_objmgr_pdev *pdev,
 
 	QDF_STATUS status;
 
 	struct wlan_regulatory_pdev_priv_obj *pdev_priv_obj;
 
 
+	if (!afc_req) {
 
+		reg_err("afc_req is NULL");
 
+		status = QDF_STATUS_E_INVAL;
 
+		return status;
 
+	}
 
+
 
 	temp_afc_req = NULL;
 
 	pdev_priv_obj = reg_get_pdev_obj(pdev);
 
 	if (!IS_VALID_PDEV_REG_OBJ(pdev_priv_obj)) {