Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Avoid potential OOB read in wma_is_vdev_valid function

In function wma_is_vdev_valid, vdev_id received as argument is used
to access wma_handle->interfaces array directly without validation
of max value of vdev_id. If vdev_id is not less than max_bssid, then
an OOB read would occur in this function.

Also add free and break in wma_mc_process_msg while handling
SIR_HAL_CONFIG_GUARD_TIME message in WMA.

Change-Id: I5f4481c937d5c370b334f2a7f8a172d08140ab1d
CRs-Fixed: 2154304
Vignesh Viswanathan 7 years ago
parent
f9b15ed483
commit
9fa8fef7b7
2 changed files with 9 additions and 0 deletions
Split View Show Diff Stats
  1. 7 0
      core/wma/src/wma_dev_if.c
  2. 2 0
      core/wma/src/wma_main.c

+ 7 - 0
core/wma/src/wma_dev_if.c
View File 

@@ -1164,6 +1164,13 @@ bool wma_is_vdev_valid(uint32_t vdev_id)
 
 		return false;
 
 	}
 
 
+	/* No of interface are allocated based on max_bssid value */
 
+	if (vdev_id >= wma_handle->max_bssid) {
 
+		WMA_LOGD("%s: vdev_id: %d is invalid, max_bssid: %d",
 
+				__func__, vdev_id, wma_handle->max_bssid);
 
+		return false;
 
+	}
 
+
 
 	WMA_LOGD("%s: vdev_id: %d, vdev_active: %d, is_vdev_valid %d",
 
 		 __func__, vdev_id, wma_handle->interfaces[vdev_id].vdev_active,
 
 		 wma_handle->interfaces[vdev_id].is_vdev_valid);

+ 2 - 0
core/wma/src/wma_main.c
View File 

@@ -7820,6 +7820,8 @@ static QDF_STATUS wma_mc_process_msg(struct scheduler_msg *msg)
 
 		wma_config_guard_time(wma_handle,
 
 				      (struct sir_guard_time_request *)
 
 				      msg->bodyptr);
 
+		qdf_mem_free(msg->bodyptr);
 
+		break;
 
 	case WMA_IPA_OFFLOAD_ENABLE_DISABLE:
 
 		wma_ipa_offload_enable_disable(wma_handle,
 
 			(struct sir_ipa_offload_enable_disable *)msg->bodyptr);