samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix pSpectInfoParams memory corruption

Browse Source 
qcacld-2.0 to qcacld-3.0 propagation

Before write to array member of pSpectInfoParams
in sapSelectChannel, we need to check the memory
access range to avoid the write overflow of the
memory.

CRs-Fixed: 998557
Change-Id: I0c05f65fd2ab62919272464a3be7cd138f12e2ec
This commit is contained in:
Liangwei Dong
2016-10-20 03:40:45 -04:00
committed by Prakash Dhavali
parent a6cd4e0137
commit 71ed6502ea
1 changed files with 147 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
core/sap/src/sap_ch_select.c
View File

@@ -708,6 +708,8 @@ static uint32_t sapweight_rssi_count(int8_t rssi, uint16_t count)
* @pSpectCh: Channel Information * @pSpectCh: Channel Information
* @offset: Channel Offset * @offset: Channel Offset
* @sap_24g: Channel is in 2.4G or 5G * @sap_24g: Channel is in 2.4G or 5G
* @spectch_start: the start of spect ch array
* @spectch_end: the end of spect ch array
* *
* sap_update_rssi_bsscount updates bss count and rssi effect based * sap_update_rssi_bsscount updates bss count and rssi effect based
* on the channel offset. * on the channel offset.
@@ -716,13 +718,16 @@ static uint32_t sapweight_rssi_count(int8_t rssi, uint16_t count)
*/ */
static void sap_update_rssi_bsscount(tSapSpectChInfo *pSpectCh, int32_t offset, static void sap_update_rssi_bsscount(tSapSpectChInfo *pSpectCh, int32_t offset,
bool sap_24g) bool sap_24g, tSapSpectChInfo *spectch_start,
tSapSpectChInfo *spectch_end)
{ {
tSapSpectChInfo *pExtSpectCh = NULL; tSapSpectChInfo *pExtSpectCh = NULL;
int32_t rssi, rsssi_effect; int32_t rssi, rsssi_effect;
pExtSpectCh = (pSpectCh + offset); pExtSpectCh = (pSpectCh + offset);
if (pExtSpectCh != NULL) { if (pExtSpectCh != NULL &&
pExtSpectCh >= spectch_start &&
pExtSpectCh < spectch_end) {
++pExtSpectCh->bssCount; ++pExtSpectCh->bssCount;
switch (offset) { switch (offset) {
case -1: case -1:
@@ -832,6 +837,8 @@ static void sap_upd_chan_spec_params(tSirProbeRespBeacon *pBeaconStruct,
* @spect_ch: Channel Information * @spect_ch: Channel Information
* @offset: Channel Offset * @offset: Channel Offset
* @num_ch: no.of channels * @num_ch: no.of channels
* @spectch_start: the start of spect ch array
* @spectch_end: the end of spect ch array
* *
* sap_update_rssi_bsscount_vht_5G updates bss count and rssi effect based * sap_update_rssi_bsscount_vht_5G updates bss count and rssi effect based
* on the channel offset. * on the channel offset.
@@ -841,7 +848,9 @@ static void sap_upd_chan_spec_params(tSirProbeRespBeacon *pBeaconStruct,
static void sap_update_rssi_bsscount_vht_5G(tSapSpectChInfo *spect_ch, static void sap_update_rssi_bsscount_vht_5G(tSapSpectChInfo *spect_ch,
int32_t offset, int32_t offset,
uint16_t num_ch) uint16_t num_ch,
tSapSpectChInfo *spectch_start,
tSapSpectChInfo *spectch_end)
{ {
int32_t ch_offset; int32_t ch_offset;
uint16_t i, cnt; uint16_t i, cnt;
@@ -856,7 +865,8 @@ static void sap_update_rssi_bsscount_vht_5G(tSapSpectChInfo *spect_ch,
ch_offset = offset + i; ch_offset = offset + i;
if (ch_offset == 0) if (ch_offset == 0)
continue; continue;
sap_update_rssi_bsscount(spect_ch, ch_offset, false); sap_update_rssi_bsscount(spect_ch, ch_offset, false,
spectch_start, spectch_end);
} }
} }
/** /**
@@ -868,6 +878,8 @@ static void sap_update_rssi_bsscount_vht_5G(tSapSpectChInfo *spect_ch,
* @sec_chan_offset: Secondary Channel Offset * @sec_chan_offset: Secondary Channel Offset
* @center_freq: Central frequency for the given channel. * @center_freq: Central frequency for the given channel.
* @channel_id: channel_id * @channel_id: channel_id
* @spectch_start: the start of spect ch array
* @spectch_end: the end of spect ch array
* *
* sap_interference_rssi_count_5G considers the Adjacent channel rssi * sap_interference_rssi_count_5G considers the Adjacent channel rssi
* and data count(here number of BSS observed) * and data count(here number of BSS observed)
@@ -880,7 +892,9 @@ static void sap_interference_rssi_count_5G(tSapSpectChInfo *spect_ch,
uint16_t sec_chan_offset, uint16_t sec_chan_offset,
uint16_t center_freq, uint16_t center_freq,
uint16_t center_freq_2, uint16_t center_freq_2,
uint8_t channel_id) uint8_t channel_id,
tSapSpectChInfo *spectch_start,
tSapSpectChInfo *spectch_end)
{ {
uint16_t num_ch; uint16_t num_ch;
int32_t offset = 0; int32_t offset = 0;
@@ -906,12 +920,14 @@ static void sap_interference_rssi_count_5G(tSapSpectChInfo *spect_ch,
switch (sec_chan_offset) { switch (sec_chan_offset) {
/* Above the Primary Channel */ /* Above the Primary Channel */
case PHY_DOUBLE_CHANNEL_LOW_PRIMARY: case PHY_DOUBLE_CHANNEL_LOW_PRIMARY:
sap_update_rssi_bsscount(spect_ch, 1, false); sap_update_rssi_bsscount(spect_ch, 1, false,
spectch_start, spectch_end);
return; return;
/* Below the Primary channel */ /* Below the Primary channel */
case PHY_DOUBLE_CHANNEL_HIGH_PRIMARY: case PHY_DOUBLE_CHANNEL_HIGH_PRIMARY:
sap_update_rssi_bsscount(spect_ch, -1, false); sap_update_rssi_bsscount(spect_ch, -1, false,
spectch_start, spectch_end);
return; return;
} }
return; return;
@@ -949,7 +965,8 @@ static void sap_interference_rssi_count_5G(tSapSpectChInfo *spect_ch,
default: default:
return; return;
} }
sap_update_rssi_bsscount_vht_5G(spect_ch, offset, num_ch); sap_update_rssi_bsscount_vht_5G(spect_ch, offset, num_ch,
spectch_start, spectch_end);
} }
/** /**
@@ -957,6 +974,8 @@ static void sap_interference_rssi_count_5G(tSapSpectChInfo *spect_ch,
* considers the Adjacent channel rssi * considers the Adjacent channel rssi
* and data count(here number of BSS observed) * and data count(here number of BSS observed)
* @spect_ch Channel Information * @spect_ch Channel Information
* @spectch_start: the start of spect ch array
* @spectch_end: the end of spect ch array
* *
* sap_interference_rssi_count considers the Adjacent channel rssi * sap_interference_rssi_count considers the Adjacent channel rssi
* and data count(here number of BSS observed) * and data count(here number of BSS observed)
@@ -964,7 +983,9 @@ static void sap_interference_rssi_count_5G(tSapSpectChInfo *spect_ch,
* Return: None. * Return: None.
*/ */
static void sap_interference_rssi_count(tSapSpectChInfo *spect_ch) static void sap_interference_rssi_count(tSapSpectChInfo *spect_ch,
tSapSpectChInfo *spectch_start,
tSapSpectChInfo *spectch_end)
{ {
if (NULL == spect_ch) { if (NULL == spect_ch) {
QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR, QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
@@ -974,35 +995,57 @@ static void sap_interference_rssi_count(tSapSpectChInfo *spect_ch)
switch (spect_ch->chNum) { switch (spect_ch->chNum) {
case CHANNEL_1: case CHANNEL_1:
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, 1, true,
sap_update_rssi_bsscount(spect_ch, 2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true); sap_update_rssi_bsscount(spect_ch, 2, true,
sap_update_rssi_bsscount(spect_ch, 4, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_2: case CHANNEL_2:
sap_update_rssi_bsscount(spect_ch, -1, true); sap_update_rssi_bsscount(spect_ch, -1, true,
sap_update_rssi_bsscount(spect_ch, 1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true); sap_update_rssi_bsscount(spect_ch, 1, true,
sap_update_rssi_bsscount(spect_ch, 3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true); sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_3: case CHANNEL_3:
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -2, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, -1, true,
sap_update_rssi_bsscount(spect_ch, 2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true); sap_update_rssi_bsscount(spect_ch, 1, true,
sap_update_rssi_bsscount(spect_ch, 4, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_4: case CHANNEL_4:
sap_update_rssi_bsscount(spect_ch, -3, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -1, true); sap_update_rssi_bsscount(spect_ch, -2, true,
sap_update_rssi_bsscount(spect_ch, 1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true); sap_update_rssi_bsscount(spect_ch, -1, true,
sap_update_rssi_bsscount(spect_ch, 3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true); sap_update_rssi_bsscount(spect_ch, 1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_5: case CHANNEL_5:
@@ -1011,48 +1054,78 @@ static void sap_interference_rssi_count(tSapSpectChInfo *spect_ch)
case CHANNEL_8: case CHANNEL_8:
case CHANNEL_9: case CHANNEL_9:
case CHANNEL_10: case CHANNEL_10:
sap_update_rssi_bsscount(spect_ch, -4, true); sap_update_rssi_bsscount(spect_ch, -4, true,
sap_update_rssi_bsscount(spect_ch, -3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, -2, true,
sap_update_rssi_bsscount(spect_ch, 2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true); sap_update_rssi_bsscount(spect_ch, -1, true,
sap_update_rssi_bsscount(spect_ch, 4, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 4, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_11: case CHANNEL_11:
sap_update_rssi_bsscount(spect_ch, -4, true); sap_update_rssi_bsscount(spect_ch, -4, true,
sap_update_rssi_bsscount(spect_ch, -3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, -2, true,
sap_update_rssi_bsscount(spect_ch, 2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true); sap_update_rssi_bsscount(spect_ch, -1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 3, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_12: case CHANNEL_12:
sap_update_rssi_bsscount(spect_ch, -4, true); sap_update_rssi_bsscount(spect_ch, -4, true,
sap_update_rssi_bsscount(spect_ch, -3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, -2, true,
sap_update_rssi_bsscount(spect_ch, 2, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 2, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_13: case CHANNEL_13:
sap_update_rssi_bsscount(spect_ch, -4, true); sap_update_rssi_bsscount(spect_ch, -4, true,
sap_update_rssi_bsscount(spect_ch, -3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true); sap_update_rssi_bsscount(spect_ch, -2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -1, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, 1, true,
spectch_start, spectch_end);
break; break;
case CHANNEL_14: case CHANNEL_14:
sap_update_rssi_bsscount(spect_ch, -4, true); sap_update_rssi_bsscount(spect_ch, -4, true,
sap_update_rssi_bsscount(spect_ch, -3, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true); sap_update_rssi_bsscount(spect_ch, -3, true,
sap_update_rssi_bsscount(spect_ch, -1, true); spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -2, true,
spectch_start, spectch_end);
sap_update_rssi_bsscount(spect_ch, -1, true,
spectch_start, spectch_end);
break; break;
default: default:
@@ -1114,6 +1187,9 @@ static void sap_compute_spect_weight(tSapChSelSpectInfo *pSpectInfoParams,
uint32_t ieLen = 0; uint32_t ieLen = 0;
tSirProbeRespBeacon *pBeaconStruct; tSirProbeRespBeacon *pBeaconStruct;
tpAniSirGlobal pMac = (tpAniSirGlobal) halHandle; tpAniSirGlobal pMac = (tpAniSirGlobal) halHandle;
tSapSpectChInfo *spectch_start = pSpectInfoParams->pSpectCh;
tSapSpectChInfo *spectch_end = pSpectInfoParams->pSpectCh +
pSpectInfoParams->numSpectChans;
pBeaconStruct = qdf_mem_malloc(sizeof(tSirProbeRespBeacon)); pBeaconStruct = qdf_mem_malloc(sizeof(tSirProbeRespBeacon));
if (NULL == pBeaconStruct) { if (NULL == pBeaconStruct) {
@@ -1191,11 +1267,14 @@ static void sap_compute_spect_weight(tSapChSelSpectInfo *pSpectInfoParams,
secondaryChannelOffset, secondaryChannelOffset,
centerFreq, centerFreq,
centerFreq_2, centerFreq_2,
channel_id); channel_id,
spectch_start,
spectch_end);
break; break;
case eCSR_DOT11_MODE_11g: case eCSR_DOT11_MODE_11g:
sap_interference_rssi_count(pSpectCh); sap_interference_rssi_count(pSpectCh,
spectch_start, spectch_end);
break; break;
case eCSR_DOT11_MODE_abg: case eCSR_DOT11_MODE_abg:
@@ -1204,8 +1283,11 @@ static void sap_compute_spect_weight(tSapChSelSpectInfo *pSpectInfoParams,
secondaryChannelOffset, secondaryChannelOffset,
centerFreq, centerFreq,
centerFreq_2, centerFreq_2,
channel_id); channel_id,
sap_interference_rssi_count(pSpectCh); spectch_start,
spectch_end);
sap_interference_rssi_count(pSpectCh,
spectch_start, spectch_end);
break; break;
} }