From aaa3a692ce66e53b3939c68024df191b80c08ea6 Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 22 Sep 2020 12:15:40 -0700 Subject: [PATCH 1/3] Release 5.2.0.203Q Release 5.2.0.203Q Change-Id: I6022c43865c23d638d8d89f392dd9e34f9ba2319 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index bf213e9f25..8bbb419597 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 0 -#define QWLAN_VERSION_EXTRA "P" +#define QWLAN_VERSION_EXTRA "Q" #define QWLAN_VERSION_BUILD 203 -#define QWLAN_VERSIONSTR "5.2.0.203P" +#define QWLAN_VERSIONSTR "5.2.0.203Q" #endif /* QWLAN_VERSION_H */ From f7b5dced13027a65f76957fc168ded9e6b8e0774 Mon Sep 17 00:00:00 2001 From: Yu Wang Date: Fri, 18 Sep 2020 13:34:56 +0800 Subject: [PATCH 2/3] qcacld-3.0: fix a possible out-of-bounds access issue The array size of 'channels' in struct channel_list_info is CFG_VALID_CHANNEL_LIST_LEN, which may smaller than NUM_CHANNELS, function 'iw_get_channel_list()' may attempt to access element CFG_VALID_CHANNEL_LIST_LEN..NUM_CHANNELS of array 'channels'. To make align, fix array size of 'channels' to NUM_CHANNELS, and refine 'iw_get_channel_list_with_cc()'. CRs-Fixed: 2777780 Change-Id: Ie064322f14186310a769db2642e69c8a520f1b26 --- core/hdd/inc/qc_sap_ioctl.h | 4 ++-- core/hdd/src/wlan_hdd_hostapd_wext.c | 16 +++++++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/core/hdd/inc/qc_sap_ioctl.h b/core/hdd/inc/qc_sap_ioctl.h index 7226536b5a..f460b40a14 100644 --- a/core/hdd/inc/qc_sap_ioctl.h +++ b/core/hdd/inc/qc_sap_ioctl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -29,7 +29,7 @@ struct channel_list_info { uint8_t num_channels; - uint8_t channels[CFG_VALID_CHANNEL_LIST_LEN]; + uint8_t channels[NUM_CHANNELS]; }; #ifdef __linux__ diff --git a/core/hdd/src/wlan_hdd_hostapd_wext.c b/core/hdd/src/wlan_hdd_hostapd_wext.c index df861f49f9..a320314e12 100644 --- a/core/hdd/src/wlan_hdd_hostapd_wext.c +++ b/core/hdd/src/wlan_hdd_hostapd_wext.c @@ -1990,19 +1990,25 @@ int iw_get_channel_list_with_cc(struct net_device *dev, hdd_err_rl("GetChannelList Failed!!!"); return -EINVAL; } - buf = extra; + /* - * Maximum channels = WNI_CFG_VALID_CHANNEL_LIST_LEN. - * Maximum buffer needed = 5 * number of channels. + * Maximum buffer needed = + * [4: 3 digits of num_chn + 1 space] + + * [REG_ALPHA2_LEN: REG_ALPHA2_LEN digits] + + * [4 * num_chn: (1 space + 3 digits of chn[i]) * num_chn] + + * [1: Terminator]. + * * Check if sufficient buffer is available and then * proceed to fill the buffer. */ - if (WE_MAX_STR_LEN < (5 * CFG_VALID_CHANNEL_LIST_LEN)) { + if (WE_MAX_STR_LEN < + (4 + REG_ALPHA2_LEN + 4 * channel_list.num_channels + 1)) { hdd_err_rl("Insufficient Buffer to populate channel list"); return -EINVAL; } - len = scnprintf(buf, WE_MAX_STR_LEN, "%u ", channel_list.num_channels); + buf = extra; + len = scnprintf(buf, WE_MAX_STR_LEN, "%u ", channel_list.num_channels); wlan_reg_get_cc_and_src(mac->psoc, ubuf); /* Printing Country code in getChannelList(break at '\0') */ for (i = 0; i < (ubuf_len - 1) && ubuf[i] != 0; i++) From 7f10d7656824efd5fae06fc2dc6ad61362c7be5d Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 22 Sep 2020 16:11:28 -0700 Subject: [PATCH 3/3] Release 5.2.0.203R Release 5.2.0.203R Change-Id: Ic17658897546833c33186a3584e5c04e4694f451 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 8bbb419597..983b43175e 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 0 -#define QWLAN_VERSION_EXTRA "Q" +#define QWLAN_VERSION_EXTRA "R" #define QWLAN_VERSION_BUILD 203 -#define QWLAN_VERSIONSTR "5.2.0.203Q" +#define QWLAN_VERSIONSTR "5.2.0.203R" #endif /* QWLAN_VERSION_H */