Halaman utama Jelajahi Bantuan
Masuk
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

qcacld-3.0: OOB read while processing extscan change results

In function wma_extscan_change_results_event_handler(), numResults
in dest_chglist is assigning as total_entries in the event, but the
memory allocated to dest_chglist is based on the numap variable,
which may cause out of buffer read in extscan indication callback
function wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind().

Also tSirWifiSignificantChange array parsing in both the functions
is not efficient which may lead to accessing unallocated memory.

To address out of buffer read, assign numap to numResults in
dest_chglist and to address accessing of unallocated memory,
parse tSirWifiSignificantChange array with efficient logic.

Change-Id: Ia0c287147e80e17de84fe6b1cb83c8e3c29a1fa0
CRs-Fixed: 2253396
Dundi Raviteja 6 tahun lalu
induk
cf5b89316f
melakukan
3566823ebe
2 mengubah file dengan 10 tambahan dan 4 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 6 2
      core/hdd/src/wlan_hdd_ext_scan.c
  2. 4 2
      core/wma/src/wma_scan_roam.c

+ 6 - 2
core/hdd/src/wlan_hdd_ext_scan.c
Tampilan Berkas 

@@ -734,7 +734,9 @@ wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind(
 
 		for (j = 0; j < ap_info->numOfRssi; j++)
 
 			hdd_debug("Rssi %d", *rssi++);
 
 
-		ap_info += ap_info->numOfRssi * sizeof(*rssi);
 
+		ap_info = (tSirWifiSignificantChange *)((char *)ap_info +
 
+				ap_info->numOfRssi * sizeof(*rssi) +
 
+				sizeof(*ap_info));
 
 	}
 
 
 	if (nla_put_u32(skb,
 
@@ -780,7 +782,9 @@ wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind(
 
 
 			nla_nest_end(skb, ap);
 
 
-			ap_info += ap_info->numOfRssi * sizeof(*rssi);
 
+			ap_info = (tSirWifiSignificantChange *)((char *)ap_info
 
+					+ ap_info->numOfRssi * sizeof(*rssi) +
 
+					sizeof(*ap_info));
 
 		}
 
 		nla_nest_end(skb, aps);

+ 4 - 2
core/wma/src/wma_scan_roam.c
Tampilan Berkas 

@@ -4303,12 +4303,14 @@ int wma_extscan_change_results_event_handler(void *handle,
 
 						   src_rssi[count++];
 
 			}
 
 		}
 
-		dest_ap += dest_ap->numOfRssi * sizeof(int32_t);
 
+		dest_ap = (tSirWifiSignificantChange *)((char *)dest_ap +
 
+					dest_ap->numOfRssi * sizeof(int32_t) +
 
+					sizeof(*dest_ap));
 
 		src_chglist++;
 
 	}
 
 	dest_chglist->requestId = event->request_id;
 
 	dest_chglist->moreData = moredata;
 
-	dest_chglist->numResults = event->total_entries;
 
+	dest_chglist->numResults = numap;
 
 
 	pMac->sme.pExtScanIndCb(pMac->hHdd,
 
 			eSIR_EXTSCAN_SIGNIFICANT_WIFI_CHANGE_RESULTS_IND,