Página Principal Explorar Ajuda
Iniciar Sessão
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

qcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entry

Currently in function wmi_extract_dbr_buf_release_entry,
num_buf_release_entry & num_meta_data_entry are copied
to direct_buf_rx_rsp structure without any validation which
may cause out of bound issue if num_buf_release_entry or
num_meta_data_entries provided in fixed param becomes greater
than actual number of entries.

Fix is to validate num_entries and num_meta_data before populating
param->num_buf_release_entry and param->num_meta_data_entry.

Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a
CRs-Fixed: 3000875
sheenam monga há 3 anos atrás
pai
2536fbaf5c
commit
727bee12fc
2 ficheiros alterados com 16 adições e 1 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 5 0
      target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
  2. 11 1
      wmi/src/wmi_unified_dbr_tlv.c

+ 5 - 0
target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c
Ver Ficheiro 

@@ -1850,6 +1850,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn,
 
 	dbr_buf_pool = mod_param->dbr_buf_pool;
 
 	dbr_rsp.dbr_entries = qdf_mem_malloc(dbr_rsp.num_buf_release_entry *
 
 					sizeof(struct direct_buf_rx_entry));
 
+	if (!dbr_rsp.dbr_entries) {
 
+		direct_buf_rx_err("invalid dbr_entries");
 
+		wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
 
 	if (dbr_rsp.num_meta_data_entry > dbr_rsp.num_buf_release_entry) {
 
 		direct_buf_rx_err("More than expected number of metadata");

+ 11 - 1
wmi/src/wmi_unified_dbr_tlv.c
Ver Ficheiro 

@@ -1,5 +1,5 @@
 
 /*
 
- * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
 
+ * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved.
 
  *
 
  * Permission to use, copy, modify, and/or distribute this software for
 
  * any purpose with or without fee is hereby granted, provided that the
 
@@ -132,7 +132,17 @@ static QDF_STATUS extract_dbr_buf_release_fixed_tlv(wmi_unified_t wmi_handle,
 
 								wmi_handle,
 
 								ev->pdev_id);
 
 	param->mod_id = ev->mod_id;
 
+	if ((!param_buf->num_entries) ||
 
+	    param_buf->num_entries < ev->num_buf_release_entry){
 
+		wmi_err("actual num of buf release entries less than provided entries");
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
 	param->num_buf_release_entry = ev->num_buf_release_entry;
 
+	if ((!param_buf->num_meta_data) ||
 
+	    param_buf->num_meta_data < ev->num_meta_data_entry) {
 
+		wmi_err("actual num of meta data entries less than provided entries");
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
 	param->num_meta_data_entry = ev->num_meta_data_entry;
 
 	wmi_debug("pdev id %d mod id %d num buf release entry %d",
 
 		 param->pdev_id, param->mod_id, param->num_buf_release_entry);