samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Validate cfgLength to the upper bound

Browse Source 
Validate cfgLength to the upper bound before using it in copy
inside csr_get_cfg_max_tx_power()/lim_get_dot11d_transmit_power.

Change-Id: Ibcc1f145db9b902a29a0332553323d0a3ac6b2ff
CRs-Fixed: 2423707
This commit is contained in:
lifeng
2019-04-01 12:09:32 +08:00
committed by nshrivas
parent ad0e83df29
commit 88e5800271
2 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/mac/src/pe/lim/lim_utils.c
View File

@@ -8221,10 +8221,14 @@ lim_get_dot11d_transmit_power(struct mac_context *mac, uint8_t channel)
goto error; goto error;
if (WLAN_REG_IS_5GHZ_CH(channel)) { if (WLAN_REG_IS_5GHZ_CH(channel)) {
if (cfg_length > CFG_MAX_TX_POWER_5_LEN)
goto error;
qdf_mem_copy(country_info, qdf_mem_copy(country_info,
mac->mlme_cfg->power.max_tx_power_5.data, mac->mlme_cfg->power.max_tx_power_5.data,
cfg_length); cfg_length);
} else if (WLAN_REG_IS_24GHZ_CH(channel)) { } else if (WLAN_REG_IS_24GHZ_CH(channel)) {
if (cfg_length > CFG_MAX_TX_POWER_2_4_LEN)
goto error;
qdf_mem_copy(country_info, qdf_mem_copy(country_info,
mac->mlme_cfg->power.max_tx_power_24.data, mac->mlme_cfg->power.max_tx_power_24.data,
cfg_length); cfg_length);

18
core/sme/src/csr/csr_api_roam.c
View File

@@ -13147,7 +13147,7 @@ QDF_STATUS csr_get_cfg_valid_channels(struct mac_context *mac, uint8_t *pChannel
int8_t csr_get_cfg_max_tx_power(struct mac_context *mac, uint8_t channel) int8_t csr_get_cfg_max_tx_power(struct mac_context *mac, uint8_t channel)
{ {
uint32_t cfgLength = 0; uint32_t cfg_length = 0;
int8_t maxTxPwr = 0; int8_t maxTxPwr = 0;
uint8_t *pCountryInfo = NULL; uint8_t *pCountryInfo = NULL;
uint8_t count = 0; uint8_t count = 0;
@@ -13155,29 +13155,33 @@ int8_t csr_get_cfg_max_tx_power(struct mac_context *mac, uint8_t channel)
uint8_t maxChannels; uint8_t maxChannels;
if (WLAN_REG_IS_5GHZ_CH(channel)) { if (WLAN_REG_IS_5GHZ_CH(channel)) {
cfgLength = mac->mlme_cfg->power.max_tx_power_5.len; cfg_length = mac->mlme_cfg->power.max_tx_power_5.len;
} else if (WLAN_REG_IS_24GHZ_CH(channel)) { } else if (WLAN_REG_IS_24GHZ_CH(channel)) {
cfgLength = mac->mlme_cfg->power.max_tx_power_24.len; cfg_length = mac->mlme_cfg->power.max_tx_power_24.len;
} else } else
return maxTxPwr; return maxTxPwr;
pCountryInfo = qdf_mem_malloc(cfgLength); pCountryInfo = qdf_mem_malloc(cfg_length);
if (!pCountryInfo) if (!pCountryInfo)
goto error; goto error;
if (WLAN_REG_IS_5GHZ_CH(channel)) { if (WLAN_REG_IS_5GHZ_CH(channel)) {
if (cfg_length > CFG_MAX_TX_POWER_5_LEN)
goto error;
qdf_mem_copy(pCountryInfo, qdf_mem_copy(pCountryInfo,
mac->mlme_cfg->power.max_tx_power_5.data, mac->mlme_cfg->power.max_tx_power_5.data,
cfgLength); cfg_length);
} else if (WLAN_REG_IS_24GHZ_CH(channel)) { } else if (WLAN_REG_IS_24GHZ_CH(channel)) {
if (cfg_length > CFG_MAX_TX_POWER_2_4_LEN)
goto error;
qdf_mem_copy(pCountryInfo, qdf_mem_copy(pCountryInfo,
mac->mlme_cfg->power.max_tx_power_24.data, mac->mlme_cfg->power.max_tx_power_24.data,
cfgLength); cfg_length);
} }
/* Identify the channel and maxtxpower */ /* Identify the channel and maxtxpower */
while (count <= (cfgLength - (sizeof(tSirMacChanInfo)))) { while (count <= (cfg_length - (sizeof(tSirMacChanInfo)))) {
firstChannel = pCountryInfo[count++]; firstChannel = pCountryInfo[count++];
maxChannels = pCountryInfo[count++]; maxChannels = pCountryInfo[count++];
maxTxPwr = pCountryInfo[count++]; maxTxPwr = pCountryInfo[count++];