Home Esplora Aiuto
Accedi
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

qcacld-3.0: Fix possible OOB access

Add check to fix possible out of bound array access

Change-Id: I621441bbdc41ce58f444b221eba086ab2f0b2e5a
CRs-Fixed: 2960525
Amruta Kulkarni 3 anni fa
parent
9e52fd2155
commit
b294c04540
5 ha cambiato i file con 9 aggiunte e 6 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 2 1
      components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c
  2. 1 2
      components/umac/mlme/connection_mgr/dispatcher/inc/wlan_cm_roam_public_struct.h
  3. 4 1
      components/umac/mlme/connection_mgr/dispatcher/src/wlan_cm_roam_api.c
  4. 1 1
      core/mac/inc/sir_api.h
  5. 1 1
      core/mac/src/pe/lim/lim_send_messages.c

+ 2 - 1
components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload.c
Vedi File 

@@ -1380,7 +1380,8 @@ cm_fetch_ch_lst_from_occupied_lst(struct wlan_objmgr_vdev *vdev,
 
 			band = BAND_UNKNOWN;
 
 	}
 
 
-	for (i = 0; i < occupied_channels->num_chan; i++) {
 
+	for (i = 0; i < occupied_channels->num_chan &&
 
+	     occupied_channels->num_chan < CFG_VALID_CHANNEL_LIST_LEN; i++) {
 
 		if (cm_is_dfs_unsafe_extra_band_chan(vdev, mlme_obj,
 
 				occupied_channels->freq_list[i], band))
 
 			continue;

+ 1 - 2
components/umac/mlme/connection_mgr/dispatcher/inc/wlan_cm_roam_public_struct.h
Vedi File 

@@ -1440,7 +1440,6 @@ struct wlan_roam_scan_period_params {
 
 	uint32_t full_scan_period;
 
 };
 
 
-#define ROAM_MAX_CHANNELS 80
 
 /**
 
  * wlan_roam_scan_channel_list  - Roam Scan channel list related
 
  * parameters
 
@@ -1452,7 +1451,7 @@ struct wlan_roam_scan_period_params {
 
 struct wlan_roam_scan_channel_list {
 
 	uint32_t vdev_id;
 
 	uint8_t chan_count;
 
-	uint32_t chan_freq_list[ROAM_MAX_CHANNELS];
 
+	uint32_t chan_freq_list[CFG_VALID_CHANNEL_LIST_LEN];
 
 	uint8_t chan_cache_type;
 
 };

+ 4 - 1
components/umac/mlme/connection_mgr/dispatcher/src/wlan_cm_roam_api.c
Vedi File 

@@ -915,7 +915,7 @@ cm_append_pref_chan_list(struct rso_chan_info *chan_info, qdf_freq_t *freq_list,
 
 
 		if (j < num_chan)
 
 			continue;
 
-		if (num_chan == ROAM_MAX_CHANNELS)
 
+		if (num_chan == CFG_VALID_CHANNEL_LIST_LEN)
 
 			break;
 
 		freq_list[num_chan++] = chan_info->freq_list[i];
 
 	}
 
@@ -1634,6 +1634,9 @@ static void cm_add_to_occupied_channels(qdf_freq_t ch_freq,
 
 					    num_occupied_ch, ch_freq))
 
 		return;
 
 
+	if (num_occupied_ch >= CFG_VALID_CHANNEL_LIST_LEN)
 
+		num_occupied_ch = CFG_VALID_CHANNEL_LIST_LEN - 1;
 
+
 
 	status = cm_add_to_freq_list_front(occupied_ch_lst,
 
 					   num_occupied_ch, ch_freq);
 
 	if (QDF_IS_STATUS_SUCCESS(status)) {

+ 1 - 1
core/mac/inc/sir_api.h
Vedi File 

@@ -4193,7 +4193,7 @@ struct obss_ht40_scanind {
 
 	uint8_t bss_id;
 
 	uint8_t fortymhz_intolerent;
 
 	uint8_t channel_count;
 
-	uint32_t chan_freq_list[ROAM_MAX_CHANNELS];
 
+	uint32_t chan_freq_list[CFG_VALID_CHANNEL_LIST_LEN];
 
 	uint8_t current_operatingclass;
 
 	uint16_t iefield_len;
 
 	uint8_t  iefield[SIR_ROAM_SCAN_MAX_PB_REQ_SIZE];

+ 1 - 1
core/mac/src/pe/lim/lim_send_messages.c
Vedi File 

@@ -509,7 +509,7 @@ QDF_STATUS lim_send_ht40_obss_scanind(struct mac_context *mac_ctx,
 
 	/* Extract 24G channel list */
 
 	channel24gnum = 0;
 
 	for (count = 0; count < channelnum &&
 
-		(channel24gnum < ROAM_MAX_CHANNELS); count++) {
 
+		(channel24gnum < CFG_VALID_CHANNEL_LIST_LEN); count++) {
 
 		chan_freq =
 
 			mac_ctx->mlme_cfg->reg.valid_channel_freq_list[count];
 
 		if (wlan_reg_is_24ghz_ch_freq(chan_freq)) {