samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Forkuj 0
Kod Zgłoszenia Oczekujące zmiany Actions Packages Projekty Wydania Wiki Aktywność

qcacld-3.0: Fix out of bounds access in wmi_extract_pdev_hw_mode_trans_ind

Przeglądaj źródła 
Add tlv array number check for vdev_mac mapping elements in roam
and roam sync event to fix potential out of bounds access of memory.

Change-Id: Iad3951bab65153a67d1b76aa745a831d0fd2cb45
CRs-Fixed: 3132366
This commit is contained in:
Liangwei Dong
2022-02-17 14:56:40 +08:00
zatwierdzone przez Madan Koyyalamudi
rodzic c1eb14cc1a
commit baf5200060
1 zmienionych plików z 20 dodań i 0 usunięć
Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

20
components/wmi/src/wmi_unified_roam_tlv.c
Wyświetl plik

@@ -2224,6 +2224,7 @@ extract_roam_sync_event_tlv(wmi_unified_t wmi_handle, void *evt_buf,
uint32_t bcn_probe_rsp_len;
uint32_t reassoc_rsp_len;
uint32_t reassoc_req_len;
wmi_pdev_hw_mode_transition_event_fixed_param *hw_mode_trans_param;
if (!evt_buf) {
wmi_debug("Empty roam_sync_event param buf");
@@ -2241,6 +2242,15 @@ extract_roam_sync_event_tlv(wmi_unified_t wmi_handle, void *evt_buf,
wmi_debug("received null event data from target");
return QDF_STATUS_E_FAILURE;
}
hw_mode_trans_param = param_buf->hw_mode_transition_fixed_param;
if (hw_mode_trans_param &&
hw_mode_trans_param->num_vdev_mac_entries >
param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping) {
wmi_debug("invalid vdev mac entries %d %d in roam sync",
hw_mode_trans_param->num_vdev_mac_entries,
param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping);
return QDF_STATUS_E_FAILURE;
}
if (synch_event->vdev_id >= WLAN_MAX_VDEVS) {
wmi_err("received invalid vdev_id %d",
@@ -2601,6 +2611,7 @@ extract_roam_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, uint32_t len,
wmi_roam_event_fixed_param *wmi_event = NULL;
WMI_ROAM_EVENTID_param_tlvs *param_buf = NULL;
struct cm_hw_mode_trans_ind *hw_mode_trans_ind;
wmi_pdev_hw_mode_transition_event_fixed_param *hw_mode_trans_param;
if (!evt_buf) {
wmi_debug("Empty roam_sync_event param buf");
@@ -2628,6 +2639,15 @@ extract_roam_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, uint32_t len,
roam_event->vdev_id);
return -EINVAL;
}
hw_mode_trans_param = param_buf->hw_mode_transition_fixed_param;
if (hw_mode_trans_param &&
hw_mode_trans_param->num_vdev_mac_entries >
param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping) {
wmi_debug("invalid vdev mac entries %d %d",
hw_mode_trans_param->num_vdev_mac_entries,
param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping);
return QDF_STATUS_E_FAILURE;
}
roam_event->reason =
wmi_convert_fw_reason_to_cm_reason(wmi_event->reason);