首頁 探索 說明
登入
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

qcacld-3.0: Fix out of bounds access in wmi_extract_pdev_hw_mode_trans_ind

Add tlv array number check for vdev_mac mapping elements in roam
and roam sync event to fix potential out of bounds access of memory.

Change-Id: Iad3951bab65153a67d1b76aa745a831d0fd2cb45
CRs-Fixed: 3132366
Liangwei Dong 3 年之前
父節點
c1eb14cc1a
當前提交
baf5200060
共有 1 個文件被更改,包括 20 次插入0 次删除
分割檢視 顯示文件統計
  1. 20 0
      components/wmi/src/wmi_unified_roam_tlv.c

+ 20 - 0
components/wmi/src/wmi_unified_roam_tlv.c
查看文件 

@@ -2224,6 +2224,7 @@ extract_roam_sync_event_tlv(wmi_unified_t wmi_handle, void *evt_buf,
 
 	uint32_t bcn_probe_rsp_len;
 
 	uint32_t reassoc_rsp_len;
 
 	uint32_t reassoc_req_len;
 
+	wmi_pdev_hw_mode_transition_event_fixed_param *hw_mode_trans_param;
 
 
 	if (!evt_buf) {
 
 		wmi_debug("Empty roam_sync_event param buf");
 
@@ -2241,6 +2242,15 @@ extract_roam_sync_event_tlv(wmi_unified_t wmi_handle, void *evt_buf,
 
 		wmi_debug("received null event data from target");
 
 		return QDF_STATUS_E_FAILURE;
 
 	}
 
+	hw_mode_trans_param = param_buf->hw_mode_transition_fixed_param;
 
+	if (hw_mode_trans_param &&
 
+	    hw_mode_trans_param->num_vdev_mac_entries >
 
+	    param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping) {
 
+		wmi_debug("invalid vdev mac entries %d %d in roam sync",
 
+			  hw_mode_trans_param->num_vdev_mac_entries,
 
+			  param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
 
 	if (synch_event->vdev_id >= WLAN_MAX_VDEVS) {
 
 		wmi_err("received invalid vdev_id %d",
 
@@ -2601,6 +2611,7 @@ extract_roam_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, uint32_t len,
 
 	wmi_roam_event_fixed_param *wmi_event = NULL;
 
 	WMI_ROAM_EVENTID_param_tlvs *param_buf = NULL;
 
 	struct cm_hw_mode_trans_ind *hw_mode_trans_ind;
 
+	wmi_pdev_hw_mode_transition_event_fixed_param *hw_mode_trans_param;
 
 
 	if (!evt_buf) {
 
 		wmi_debug("Empty roam_sync_event param buf");
 
@@ -2628,6 +2639,15 @@ extract_roam_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, uint32_t len,
 
 			roam_event->vdev_id);
 
 		return -EINVAL;
 
 	}
 
+	hw_mode_trans_param = param_buf->hw_mode_transition_fixed_param;
 
+	if (hw_mode_trans_param &&
 
+	    hw_mode_trans_param->num_vdev_mac_entries >
 
+	    param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping) {
 
+		wmi_debug("invalid vdev mac entries %d %d",
 
+			  hw_mode_trans_param->num_vdev_mac_entries,
 
+			  param_buf->num_wmi_pdev_set_hw_mode_response_vdev_mac_mapping);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
 
 	roam_event->reason =
 
 			wmi_convert_fw_reason_to_cm_reason(wmi_event->reason);