From 3064b4603c9d7df34ca33b557adbf2a2348c4ac0 Mon Sep 17 00:00:00 2001 From: Rahul Gusain Date: Mon, 20 Feb 2023 18:38:51 +0530 Subject: [PATCH] qcacld-3.0: Out of bound access in ML connection Currently, while fetching pcl for some vdev id, host driver retrieves the number of ML connection and provide as max index value for vdev list and info array. This max index can't be more than MAX_NUMBER_OF_CONC_CONNECTIONS from functionality perspective. But static analyzer tool complains that there are chances for out of bound access of the given arrays while filling the indexes. So, to fix this, add checks to avoid any such possible out bound access. Change-Id: I09261e23620df5fc73887c9e5633b408afa66796 CRs-Fixed: 3412348 --- .../cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c b/components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c index 895618115c..5dd9f79e93 100644 --- a/components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c +++ b/components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c @@ -238,7 +238,9 @@ policy_mgr_get_pcl_concurrent_connetions(struct wlan_objmgr_psoc *psoc, if (!has_same_band && vdev_id_with_diff_band != WLAN_INVALID_VDEV_ID) { policy_mgr_debug("vdev_ids[%d]: %d", num_related, vdev_id_with_diff_band); - vdev_ids[num_related++] = vdev_id_with_diff_band; + + if (num_related < vdev_ids_size) + vdev_ids[num_related++] = vdev_id_with_diff_band; } out: @@ -289,7 +291,7 @@ QDF_STATUS policy_mgr_get_pcl_for_vdev_id(struct wlan_objmgr_psoc *psoc, id_num = policy_mgr_get_pcl_concurrent_connetions(psoc, mode, vdev_id, ids, QDF_ARRAY_SIZE(ids)); - if (!id_num) { + if (!id_num || id_num > MAX_NUMBER_OF_CONC_CONNECTIONS) { status = QDF_STATUS_E_FAILURE; goto out; }