Inicio Explorar Axuda
Iniciar sesión
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

qcacld-3.0: Add check for if_id in wma_tbttoffset_update_event_handler

Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.

Add sanity check to make sure if_id is less than max_bssid.

Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
Vignesh Viswanathan %!s(int64=7) %!d(string=hai) anos
pai
847dd5d509
achega
adb1b654b7
Modificáronse 1 ficheiros con 1 adicións e 1 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 1 1
      core/wma/src/wma_mgmt.c

+ 1 - 1
core/wma/src/wma_mgmt.c
Ver ficheiro 

@@ -2531,7 +2531,7 @@ int wma_tbttoffset_update_event_handler(void *handle, uint8_t *event,
 
 		return -EINVAL;
 
 	}
 
 
-	for (; (vdev_map); vdev_map >>= 1, if_id++) {
 
+	for (; (if_id < wma->max_bssid && vdev_map); vdev_map >>= 1, if_id++) {
 
 		if (!(vdev_map & 0x1) || (!(intf[if_id].handle)))
 
 			continue;