samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: OOB read while processing extscan change results

Browse Source 
In function wma_extscan_change_results_event_handler(), numResults
in dest_chglist is assigning as total_entries in the event, but the
memory allocated to dest_chglist is based on the numap variable,
which may cause out of buffer read in extscan indication callback
function wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind().

Also tSirWifiSignificantChange array parsing in both the functions
is not efficient which may lead to accessing unallocated memory.

To address out of buffer read, assign numap to numResults in
dest_chglist and to address accessing of unallocated memory,
parse tSirWifiSignificantChange array with efficient logic.

Change-Id: Ia0c287147e80e17de84fe6b1cb83c8e3c29a1fa0
CRs-Fixed: 2253396
This commit is contained in:
Dundi Raviteja
2018-06-26 13:05:20 +05:30
committed by nshrivas
parent cf5b89316f
commit 3566823ebe
2 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/hdd/src/wlan_hdd_ext_scan.c
View File

@@ -734,7 +734,9 @@ wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind(
for (j = 0; j < ap_info->numOfRssi; j++) for (j = 0; j < ap_info->numOfRssi; j++)
hdd_debug("Rssi %d", *rssi++); hdd_debug("Rssi %d", *rssi++);
ap_info += ap_info->numOfRssi * sizeof(*rssi); ap_info = (tSirWifiSignificantChange *)((char *)ap_info +
ap_info->numOfRssi * sizeof(*rssi) +
sizeof(*ap_info));
} }
if (nla_put_u32(skb, if (nla_put_u32(skb,
@@ -780,7 +782,9 @@ wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind(
nla_nest_end(skb, ap); nla_nest_end(skb, ap);
ap_info += ap_info->numOfRssi * sizeof(*rssi); ap_info = (tSirWifiSignificantChange *)((char *)ap_info
+ ap_info->numOfRssi * sizeof(*rssi) +
sizeof(*ap_info));
} }
nla_nest_end(skb, aps); nla_nest_end(skb, aps);

6
core/wma/src/wma_scan_roam.c
View File

@@ -4303,12 +4303,14 @@ int wma_extscan_change_results_event_handler(void *handle,
src_rssi[count++]; src_rssi[count++];
} }
} }
dest_ap += dest_ap->numOfRssi * sizeof(int32_t); dest_ap = (tSirWifiSignificantChange *)((char *)dest_ap +
dest_ap->numOfRssi * sizeof(int32_t) +
sizeof(*dest_ap));
src_chglist++; src_chglist++;
} }
dest_chglist->requestId = event->request_id; dest_chglist->requestId = event->request_id;
dest_chglist->moreData = moredata; dest_chglist->moreData = moredata;
dest_chglist->numResults = event->total_entries; dest_chglist->numResults = numap;
pMac->sme.pExtScanIndCb(pMac->hHdd, pMac->sme.pExtScanIndCb(pMac->hHdd,
eSIR_EXTSCAN_SIGNIFICANT_WIFI_CHANGE_RESULTS_IND, eSIR_EXTSCAN_SIGNIFICANT_WIFI_CHANGE_RESULTS_IND,