Halaman utama Jelajahi Bantuan
Masuk
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

qcacld-3.0: Validate number of APs before filling diag event

When WMI_ROAM_STATS_EVENTID is received, the driver copies the
roam scan candidate AP data from the event to destination
buffer. This num_ap count is used directly to fill the diag
buffer. When the number of candidates sent by the firmware
is greater than MAX_ROAM_CANDIDATE_AP(8), corruption of the
destination scan->ap buffer occurs.

Validate the number of APs before filling the diag event.

Change-Id: I5258bc0d4ce0108cbc5195aa464afd498ae9fbf9
CRs-Fixed: 2598513
Pragaspathi Thilagaraj 5 tahun lalu
induk
b1e41a7a08
melakukan
a9a5f31448
1 mengubah file dengan 4 tambahan dan 1 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 4 1
      core/wma/src/wma_scan_roam.c

+ 4 - 1
core/wma/src/wma_scan_roam.c
Tampilan Berkas 

@@ -3412,7 +3412,6 @@ wma_diag_log_roam_scan_info(struct wmi_roam_scan_data *scan, uint8_t vdev_id,
 
 
 	scan_data->version = 1;
 
 	scan_data->type = scan->type;
 
-	scan_data->num_ap = scan->num_ap;
 
 	scan_data->num_chan = scan->num_chan;
 
 	scan_data->next_rssi_threshold = scan->next_rssi_threshold;
 
 	scan_data->vdev_id = vdev_id;
 
@@ -3420,6 +3419,10 @@ wma_diag_log_roam_scan_info(struct wmi_roam_scan_data *scan, uint8_t vdev_id,
 
 	for (i = 0; i < scan_data->num_chan; i++)
 
 		scan_data->chan_freq[i] = scan->chan_freq[i];
 
 
+	scan_data->num_ap = scan->num_ap;
 
+	if (scan->num_ap > MAX_ROAM_CANDIDATE_AP)
 
+		scan_data->num_ap = MAX_ROAM_CANDIDATE_AP;
 
+
 
 	for (i = 0; i < scan_data->num_ap; i++) {
 
 		scan_data->ap[i].version = 1;
 
 		scan_data->ap[i].timestamp = scan->ap[i].timestamp;