samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix wrong memory access in spectral phyerr processing

Browse Source 
In target_if_process_phyerr_gen2(), initialize variables
to prevent usage of junk values.
In target_if_process_sfft_report_gen3(), add check to
ensure the index doesn't exceed the size of the array.

Change-Id: Ie738d1fc836e1a2ec1358b635a4b6c64a424b894
This commit is contained in:
Debasis Das
2021-09-01 12:04:23 +05:30
committed by Madan Koyyalamudi
parent 6d3d7d5f11
commit 800b5ae375
1 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
target_if/spectral/target_if_spectral_phyerr.c
View File

@@ -1435,11 +1435,11 @@ target_if_process_phyerr_gen2(struct target_if_spectral *spectral,
struct spectral_search_fft_info_gen2 search_fft_info_sec80;
struct spectral_search_fft_info_gen2 *p_sfft_sec80 =
&search_fft_info_sec80;
uint32_t segid_skiplen;
struct spectral_phyerr_tlv_gen2 *ptlv;
struct spectral_phyerr_tlv_gen2 *ptlv_sec80;
struct spectral_phyerr_fft_gen2 *pfft;
struct spectral_phyerr_fft_gen2 *pfft_sec80;
uint32_t segid_skiplen = 0;
struct spectral_phyerr_tlv_gen2 *ptlv = NULL;
struct spectral_phyerr_tlv_gen2 *ptlv_sec80 = NULL;
struct spectral_phyerr_fft_gen2 *pfft = NULL;
struct spectral_phyerr_fft_gen2 *pfft_sec80 = NULL;
struct spectral_process_phyerr_info_gen2 process_phyerr_fields;
struct spectral_process_phyerr_info_gen2 *phyerr_info =
&process_phyerr_fields;
@@ -1451,7 +1451,7 @@ target_if_process_phyerr_gen2(struct target_if_spectral *spectral,
if (!spectral) {
spectral_err_rl("Spectral LMAC object is null");
goto fail;
goto fail_no_print;
}
p_sops = GET_TARGET_IF_SPECTRAL_OPS(spectral);
@@ -2763,6 +2763,11 @@ static void target_if_spectral_verify_ts(struct target_if_spectral *spectral,
spectral_err_rl("Spectral LMAC object is null");
return;
}
if (detector_id >= MAX_DETECTORS_PER_PDEV) {
spectral_err_rl("Spectral detector_id %d exceeds range",
detector_id);
return;
}
if (!spectral->dbr_buff_debug)
return;
@@ -3067,6 +3072,13 @@ target_if_process_sfft_report_gen3(
return QDF_STATUS_E_NULL_VALUE;
}
spectral_mode = target_if_get_spectral_mode(p_sfft->fft_detector_id,
&spectral->rparams);
if (spectral_mode >= SPECTRAL_SCAN_MODE_MAX) {
spectral_err_rl("No valid Spectral mode for detector id %u",
p_sfft->fft_detector_id);
return QDF_STATUS_E_FAILURE;
}
/*
* For easy comparision between MDK team and OS team, the MDK script
* variable names have been used
@@ -3195,13 +3207,6 @@ target_if_process_sfft_report_gen3(
FFT_REPORT_HDR_C_RELATIVE_PWR_SIZE_GEN3,
FFT_REPORT_HDR_C_RELATIVE_PWR_POS_GEN3);
spectral_mode = target_if_get_spectral_mode(p_sfft->fft_detector_id,
&spectral->rparams);
if (spectral_mode >= SPECTRAL_SCAN_MODE_MAX) {
spectral_err_rl("No valid Spectral mode for detector id %u",
p_sfft->fft_detector_id);
return QDF_STATUS_E_FAILURE;
}
p_sfft->fft_bin_count =
target_if_spectral_get_bin_count_after_len_adj(
fft_hdr_length - spectral->rparams.fft_report_hdr_len,