From a60bf20c33fe2cb4d018741442604ce4ccd24be3 Mon Sep 17 00:00:00 2001 From: Liangwei Dong Date: Tue, 14 Feb 2023 09:38:03 +0800 Subject: [PATCH] qcacld-3.0: Fix potential out of memory access Limit num_chan to be less than WLAN_MAX_LOGGING_FREQ and NUM_CHANNELS to fix potential out of memory access. Change-Id: I5e0bcd449a738fa416daeaebaeafbd2ec11913ba CRs-Fixed: 3405136 --- .../mlme/connection_mgr/core/src/wlan_cm_roam_offload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c b/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c index 5d70c36286..c6c84a6f4e 100644 --- a/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c +++ b/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c @@ -5872,6 +5872,10 @@ void cm_roam_scan_info_event(struct wlan_objmgr_psoc *psoc, status = mlme_get_fw_scan_channels(psoc, chan_freq, &num_chan); if (QDF_IS_STATUS_ERROR(status)) goto out; + if (num_chan > NUM_CHANNELS) { + mlme_err("unexpected num chan %d", num_chan); + goto out; + } status = wlan_mlme_get_band_capability(psoc, &band_capability); if (QDF_IS_STATUS_ERROR(status)) @@ -5881,8 +5885,7 @@ void cm_roam_scan_info_event(struct wlan_objmgr_psoc *psoc, policy_mgr_get_connected_roaming_vdev_band_mask(psoc, vdev_id); - if (num_chan > WLAN_MAX_LOGGING_FREQ) - num_chan = WLAN_MAX_LOGGING_FREQ; + num_chan = QDF_MIN(WLAN_MAX_LOGGING_FREQ, NUM_CHANNELS); for (i = 0; i < num_chan; i++) { if (!wlan_is_valid_frequency(chan_freq[i],