From 96aff7736b52be3a28c15e23bf52f615a5c7be9e Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Wed, 29 Aug 2018 23:15:31 +0530 Subject: [PATCH] qcacld-3.0: Fix possible OOB in wma_pdev_div_info_evt_handler In the function wma_pdev_div_info_evt_handler, while handling WMI_PDEV_DIV_RSSI_ANTID_EVENTID event, the corresponding event handler wma_pdev_div_info_evt_handler is invoked. In the function wma_pdev_div_info_evt_handler, event_buf argument comes directly from firmware and event parameter is pulled from event buf. The event->num_chains_valid is used as the maximum bound on the array index of chain_rssi[] array which has a maximum limit of CHAIN_MAX_NUM(8). When event->num_chains_valid has a value greater than this maximum limit, OOB write could occur. Add check to validate the event->num_chains_valid against CHAIN_MAX_NUM(8) and return failure if it exceeds. Change-Id: I40f1aa8a7b4bcffef3cab588c78c700e88e24673 CRs-Fixed: 2304662 --- core/wma/src/wma_features.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index ac3b3a4f1d..1e378707bd 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -5784,20 +5784,24 @@ int wma_pdev_div_info_evt_handler(void *handle, u_int8_t *event_buf, return -EINVAL; } + if (event->num_chains_valid > CHAIN_MAX_NUM) { + WMA_LOGE(FL("Invalid num of chains")); + return -EINVAL; + } + WMI_MAC_ADDR_TO_CHAR_ARRAY(&event->macaddr, macaddr); WMA_LOGD(FL("macaddr: " MAC_ADDRESS_STR), MAC_ADDR_ARRAY(macaddr)); WMA_LOGD(FL("num_chains_valid: %d"), event->num_chains_valid); chain_rssi_result.num_chains_valid = event->num_chains_valid; - for (i = 0; i < CHAIN_MAX_NUM; i++) - WMA_LOGD(FL("chain_rssi: %d, ant_id: %d"), - event->chain_rssi[i], event->ant_id[i]); - qdf_mem_copy(chain_rssi_result.chain_rssi, event->chain_rssi, sizeof(event->chain_rssi)); - for (i = 0; i < event->num_chains_valid; i++) + for (i = 0; i < event->num_chains_valid; i++) { + WMA_LOGD(FL("chain_rssi: %d, ant_id: %d"), + event->chain_rssi[i], event->ant_id[i]); chain_rssi_result.chain_rssi[i] += WMA_TGT_NOISE_FLOOR_DBM; + } qdf_mem_copy(chain_rssi_result.ant_id, event->ant_id, sizeof(event->ant_id));