qcacmn: Add check for buffer overflow and null pointer dereference
There is a chance for null pointer dereference for num_eht_user_info_valid and array out of bounds for eht_user_info. Add checks for both the cases as it may cause crash. Change-Id: Icb5235612a1225b9991c99519b5ee49536c577bc CRs-Fixed: 3426873
This commit is contained in:

committed by
Madan Koyyalamudi

parent
9064b44469
commit
a3a4e67eed
@@ -242,6 +242,8 @@ enum wsc_op_code {
|
||||
#define MAX_CHAIN 8
|
||||
#define QDF_MON_STATUS_MPDU_FCS_BMAP_NWORDS 8
|
||||
|
||||
#define EHT_USER_INFO_LEN 4
|
||||
|
||||
/**
|
||||
* typedef qdf_nbuf_queue_t - Platform independent packet queue abstraction
|
||||
*/
|
||||
@@ -512,7 +514,7 @@ struct mon_rx_status {
|
||||
uint32_t usig_mask;
|
||||
uint32_t eht_known;
|
||||
uint32_t eht_data[6];
|
||||
uint32_t eht_user_info[4];
|
||||
uint32_t eht_user_info[EHT_USER_INFO_LEN];
|
||||
#ifdef QCA_UNDECODED_METADATA_SUPPORT
|
||||
uint32_t phyrx_abort:1,
|
||||
phyrx_abort_reason:8,
|
||||
|
@@ -5120,7 +5120,9 @@ qdf_nbuf_update_radiotap_eht_flags(struct mon_rx_status *rx_status,
|
||||
put_unaligned_le32(rx_status->eht_data[5], &rtap_buf[rtap_len]);
|
||||
rtap_len += 4;
|
||||
|
||||
for (user = 0; user < rx_status->num_eht_user_info_valid; user++) {
|
||||
for (user = 0; user < EHT_USER_INFO_LEN &&
|
||||
rx_status->num_eht_user_info_valid &&
|
||||
user < rx_status->num_eht_user_info_valid; user++) {
|
||||
put_unaligned_le32(rx_status->eht_user_info[user],
|
||||
&rtap_buf[rtap_len]);
|
||||
rtap_len += 4;
|
||||
|
Reference in New Issue
Block a user