qcacmn: Add check for num_hw_modes
In extract_mac_phy_cap_service_ready_ext() the num_hw_modes is used as loop bounds and may be attacked. hw_mode_caps is a pointer defined by firmware. The exact array length cannot be got since hw_mode_caps pointing array length is variable. So use max number to check num_hw_modes before loop. The max number of hw modes is 24 including 11ax. Change-Id: I72f30ba819bca89915bb09f271e3dbe7c0f157a6 CRs-Fixed: 2369233
This commit is contained in:
tinlin
@@ -9381,6 +9381,7 @@ static QDF_STATUS extract_mac_phy_cap_service_ready_ext_tlv(
|
|||||||
uint8_t *event, uint8_t hw_mode_id, uint8_t phy_id,
|
uint8_t *event, uint8_t hw_mode_id, uint8_t phy_id,
|
||||||
struct wlan_psoc_host_mac_phy_caps *param)
|
struct wlan_psoc_host_mac_phy_caps *param)
|
||||||
{
|
{
|
||||||
|
#define MAX_NUM_HW_MODES 24
|
||||||
WMI_SERVICE_READY_EXT_EVENTID_param_tlvs *param_buf;
|
WMI_SERVICE_READY_EXT_EVENTID_param_tlvs *param_buf;
|
||||||
WMI_MAC_PHY_CAPABILITIES *mac_phy_caps;
|
WMI_MAC_PHY_CAPABILITIES *mac_phy_caps;
|
||||||
WMI_SOC_MAC_PHY_HW_MODE_CAPS *hw_caps;
|
WMI_SOC_MAC_PHY_HW_MODE_CAPS *hw_caps;
|
||||||
@@ -9394,6 +9395,13 @@ static QDF_STATUS extract_mac_phy_cap_service_ready_ext_tlv(
|
|||||||
hw_caps = param_buf->soc_hw_mode_caps;
|
hw_caps = param_buf->soc_hw_mode_caps;
|
||||||
if (!hw_caps)
|
if (!hw_caps)
|
||||||
return QDF_STATUS_E_INVAL;
|
return QDF_STATUS_E_INVAL;
|
||||||
|
/**
|
||||||
|
* The max number of hw modes is 24 including 11ax.
|
||||||
|
*/
|
||||||
|
if (hw_caps->num_hw_modes > MAX_NUM_HW_MODES) {
|
||||||
|
wmi_err_rl("invalid num_hw_modes %d", hw_caps->num_hw_modes);
|
||||||
|
return QDF_STATUS_E_INVAL;
|
||||||
|
}
|
||||||
|
|
||||||
for (hw_idx = 0; hw_idx < hw_caps->num_hw_modes; hw_idx++) {
|
for (hw_idx = 0; hw_idx < hw_caps->num_hw_modes; hw_idx++) {
|
||||||
if (hw_mode_id == param_buf->hw_mode_caps[hw_idx].hw_mode_id)
|
if (hw_mode_id == param_buf->hw_mode_caps[hw_idx].hw_mode_id)
|
||||||
|
|||||||
Reference in New Issue
Block a user