Inicio Explorar Ayuda
Iniciar sesión
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

qcacld-3.0: Fix an improper parameter type casting

In function csr_check_concurrent_channel_overlap, local
variable intf_ch is defined as uint16_t, but its pointer
is casted to uint32_t * before invoking
policy_mgr_get_sap_mandatory_channel, which will do
32-bit memory write and causes a stack memory over-
writing.

Call Trace:
  dump_stack+0x46/0x59
  print_address_description+0x66/0x22b
  kasan_report+0x21f/0x245
  policy_mgr_get_sap_mandatory_channel+0x1fd/0x258 [wlan]
  csr_check_concurrent_channel_overlap+0xf84/0x10d2 [wlan]
  sme_check_concurrent_channel_overlap+0xaa/0xf0 [wlan]
  wlansap_check_cc_intf+0x102/0x124 [wlan]
  wlan_hdd_get_channel_for_sap_restart+0x506/0x8f8 [wlan]
  policy_mgr_check_sta_ap_concurrent_ch_intf+0x35e/0x425[wlan]
  process_one_work+0x2cc/0x53b
  worker_thread+0x357/0x490

Change the type of the 2nd parameter to uint16_t within
function policy_mgr_get_sap_mandatory_channel, so only
16-bit memory writing will take place.

Change-Id: If514a394e65d005a1fe025c0e753bf7440dd5dde
CRs-Fixed: 2508798
wadesong hace 5 años
padre
d0aad46178
commit
bf39868cae
Se han modificado 3 ficheros con 4 adiciones y 4 borrados
Dividir vista Mostrar estadísticas de diff
  1. 1 1
      components/cmn_services/policy_mgr/inc/wlan_policy_mgr_api.h
  2. 1 1
      components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
  3. 2 2
      core/sme/src/csr/csr_util.c

+ 1 - 1
components/cmn_services/policy_mgr/inc/wlan_policy_mgr_api.h
Ver fichero 

@@ -1758,7 +1758,7 @@ QDF_STATUS policy_mgr_get_nss_for_vdev(struct wlan_objmgr_psoc *psoc,
 
  * Return: QDF_STATUS
 
  */
 
 QDF_STATUS policy_mgr_get_sap_mandatory_channel(struct wlan_objmgr_psoc *psoc,
 
-		uint32_t *chan);
 
+						uint16_t *chan);
 
 
 /**
 
  * policy_mgr_set_sap_mandatory_channels() - Set the mandatory channel for SAP

+ 1 - 1
components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
Ver fichero 

@@ -2098,7 +2098,7 @@ QDF_STATUS policy_mgr_modify_sap_pcl_based_on_mandatory_channel(
 
 }
 
 
 QDF_STATUS policy_mgr_get_sap_mandatory_channel(struct wlan_objmgr_psoc *psoc,
 
-		uint32_t *chan)
 
+						uint16_t *chan)
 
 {
 
 	QDF_STATUS status;
 
 	struct policy_mgr_pcl_list pcl;

+ 2 - 2
core/sme/src/csr/csr_util.c
Ver fichero 

@@ -1103,7 +1103,7 @@ uint16_t csr_check_concurrent_channel_overlap(struct mac_context *mac_ctx,
 
 			status =
 
 				policy_mgr_get_sap_mandatory_channel(
 
 				mac_ctx->psoc,
 
-				(uint32_t *)&intf_ch);
 
+				&intf_ch);
 
 			if (QDF_IS_STATUS_ERROR(status))
 
 				sme_err("no mandatory channel");
 
 		}
 
@@ -1112,7 +1112,7 @@ uint16_t csr_check_concurrent_channel_overlap(struct mac_context *mac_ctx,
 
 		if (cds_chan_to_band(intf_ch) == CDS_BAND_2GHZ) {
 
 			status =
 
 				policy_mgr_get_sap_mandatory_channel(
 
-					mac_ctx->psoc, (uint32_t *)&intf_ch);
 
+					mac_ctx->psoc, &intf_ch);
 
 			if (QDF_IS_STATUS_ERROR(status))
 
 				sme_err("no mandatory channel");
 
 		}