Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix memory corruption of GET_PREFERRED_FREQ_LIST

1. Change pcl_list to uint32_t array.
2. Populate weight freq from pcl_list.
3. Correct the skb allocation size to include attr hdr

Change-Id: Iace73efda1ec55b7f12c2ce3bcc1ea3262ad01f8
CRs-Fixed: 2554031
Liangwei Dong 5 years ago
parent
cf57262302
commit
c213d8e885
2 changed files with 11 additions and 12 deletions
Split View Show Diff Stats
  1. 1 1
      components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
  2. 10 11
      core/hdd/src/wlan_hdd_cfg80211.c

+ 1 - 1
components/cmn_services/policy_mgr/src/wlan_policy_mgr_pcl.c
View File 

@@ -312,7 +312,7 @@ static QDF_STATUS policy_mgr_modify_pcl_based_on_dnbs(
 
 						uint32_t *pcl_len_org)
 
 {
 
 	uint32_t i, pcl_len = 0;
 
-	uint8_t pcl_list[QDF_MAX_NUM_CHAN];
 
+	uint32_t pcl_list[QDF_MAX_NUM_CHAN];
 
 	uint8_t weight_list[QDF_MAX_NUM_CHAN];
 
 	bool ok;
 
 	QDF_STATUS status = QDF_STATUS_E_FAILURE;

+ 10 - 11
core/hdd/src/wlan_hdd_cfg80211.c
View File 

@@ -9523,9 +9523,7 @@ static uint32_t wlan_hdd_populate_weigh_pcl(
 
 
 	/* convert channel number to frequency */
 
 	for (i = 0; i < chan_weights->pcl_len; i++) {
 
-		if (chan_weights->pcl_list[i] <=
 
-		    ARRAY_SIZE(hdd_channels_2_4_ghz))
 
-			w_pcl[i].freq = chan_weights->pcl_list[i];
 
+		w_pcl[i].freq = chan_weights->pcl_list[i];
 
 		w_pcl[i].weight = chan_weights->weight_list[i];
 
 
 		if (intf_mode == PM_SAP_MODE || intf_mode == PM_P2P_GO_MODE)
 
@@ -9550,10 +9548,8 @@ static uint32_t wlan_hdd_populate_weigh_pcl(
 
 				break;
 
 		}
 
 		if (j == chan_weights->pcl_len) {
 
-			if (chan_weights->saved_chan_list[i] <=
 
-				ARRAY_SIZE(hdd_channels_2_4_ghz))
 
-				w_pcl[chan_idx].freq =
 
-					chan_weights->saved_chan_list[i];
 
+			w_pcl[chan_idx].freq =
 
+				chan_weights->saved_chan_list[i];
 
 
 			if (!chan_weights->weighed_valid_list[i]) {
 
 				w_pcl[chan_idx].flag =
 
@@ -9662,10 +9658,13 @@ static int __wlan_hdd_cfg80211_get_preferred_freq_list(struct wiphy *wiphy,
 
 		freq_list[i] = w_pcl[i].freq;
 
 
 	/* send the freq_list back to supplicant */
 
-	reply_skb = cfg80211_vendor_cmd_alloc_reply_skb(wiphy, sizeof(u32) +
 
-					sizeof(u32) * pcl_len +
 
-					sizeof(struct weighed_pcl) * pcl_len +
 
-					NLMSG_HDRLEN);
 
+	reply_skb = cfg80211_vendor_cmd_alloc_reply_skb(
 
+			wiphy,
 
+			(sizeof(u32) + NLA_HDRLEN) +
 
+			(sizeof(u32) * pcl_len + NLA_HDRLEN) +
 
+			NLA_HDRLEN +
 
+			(NLA_HDRLEN * 4 + sizeof(u32) * 3) * pcl_len +
 
+			NLMSG_HDRLEN);
 
 
 	if (!reply_skb) {
 
 		hdd_err("Allocate reply_skb failed");