samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add bound check for num_per_chain_rssi_stats

Browse Source 
Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().

ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.

As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.

Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
This commit is contained in:
Harprit Chhabada
2018-09-28 12:06:49 -07:00
committed by nshrivas
parent 791d0fce4f
commit 4efe1fa42d
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
wmi_unified_tlv.c
View File

@@ -19085,6 +19085,12 @@ static QDF_STATUS extract_all_stats_counts_tlv(wmi_unified_t wmi_handle,
WMITLV_GET_TLVLEN(rssi_event->tlv_header))
return QDF_STATUS_SUCCESS;
if (rssi_event->num_per_chain_rssi_stats >=
WMITLV_GET_TLVLEN(rssi_event->tlv_header)) {
WMI_LOGE("num_per_chain_rssi_stats:%u is out of bounds",
rssi_event->num_per_chain_rssi_stats);
return QDF_STATUS_E_INVAL;
}
stats_param->num_rssi_stats = rssi_event->num_per_chain_rssi_stats;
return QDF_STATUS_SUCCESS;