Начало Каталог Помощ
Вход
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
Преглед на файлове

qcacld-3.0: Fix Use after free in wma_vdev_start_resp_handler

In the function wma_vdev_start_resp_handler when we recieve a
vdev start response event, we copy the req_msg->user_data to the
object hidden_ssid_restart of the structure
tpHalHiddenSsidVdevRestart. If hidden_ssid_restart_in_progress
flag is set for the corresponding vdev_id, then we post that
message to the PE and free the hidden_ssid_restart. If this
req_msg->user_data is used again if req_msg->msg_type is
WMA_CHNL_SWITCH_REQ , then a possible Use-After-Free will occur
in  wma_vdev_start_resp_handler.

When a channel switch request has occured, there will not be a
hidden ssid restart event in progress. So add check to validate
if the req_msg->msg_type == WMA_HIDDEN_SSID_VDEV_RESTART.

Change-Id: Ie3195b23ff136fbfd38fcd4d32e993d4cb016316
CRs-Fixed: 2216751
Pragaspathi Thilagaraj преди 7 години
родител
023bf55c6a
ревизия
b9c4674fda
променени са 1 файла, в които са добавени 2 реда и са изтрити 1 реда
Разделен изглед Покажи статистика за разликите
  1. 2 1
      core/wma/src/wma_dev_if.c

+ 2 - 1
core/wma/src/wma_dev_if.c
Целия файл 

@@ -1214,7 +1214,8 @@ int wma_vdev_start_resp_handler(void *handle, uint8_t *cmd_param_info,
 
 	if ((resp_event->vdev_id < wma->max_bssid) &&
 
 	    (qdf_atomic_read(
 
 	    &wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress))
 
-	    && (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)) {
 
+	    && (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)
 
+	    && (req_msg->msg_type == WMA_HIDDEN_SSID_VDEV_RESTART)) {
 
 		tpHalHiddenSsidVdevRestart hidden_ssid_restart =
 
 			(tpHalHiddenSsidVdevRestart)req_msg->user_data;
 
 		WMA_LOGE("%s: vdev restart event recevied for hidden ssid set using IOCTL",