qcacmn: Fix OOB read in iw_hdd_set_var_ints_getnone

From the IOCTL command WE_POLICY_MANAGER_PCL_CMD, we get the cds concurrency mode as argument and pass it to cds_get_pcl to get the pcl channel list. This concurrency mode parameter is used as the array index to retrieve the enum cds_pcl_type. If this value is greater than CDS_MAX_NUM_OF_MODE an OOB read will occur in iw_hdd_set_var_ints_getnone. Add check to validate the input cds mode argument against the macro CDS_MAX_NUM_OF_MODE. Return error if it is violated. Change-Id: I51073061be363d9680abf0566b77be7c7573d0fe CRs-Fixed: 2233991
2018-05-01 12:32:47 +05:30
commit 7bfb1e9baf
--- a/umac/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
+++ b/umac/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
@@ -476,8 +476,8 @@ QDF_STATUS policy_mgr_get_pcl(struct wlan_objmgr_psoc *psoc,
 		return status;
 	}

-	if (mode >= PM_MAX_NUM_OF_MODE) {
-		policy_mgr_err("requested mode:%d is not supported", mode);
+	if ((mode < 0) || (mode >= PM_MAX_NUM_OF_MODE)) {
+		policy_mgr_err("Invalid connection mode %d received", mode);
 		return status;
 	}