samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix NULL pointer dereference issues in scan and power debug

Browse Source 
get_pdev_wmi_handle() can return a NULL pointer in some cases.
Perform a NULL check before using the returned pointer.

target_psoc_get_service_ext_param() can return NULL pointer in
some cases. Perform a NULL check before using the pointer.

The power debug command can  take a maximum of WMI_MAX_POWER_DBG_ARGS
arguments. Check for the limit before indexing the array to avoid
illegal access of memory or overflow the array.

Change-Id: I264475e9f86c7a7e78b17b7a1fa025718a7c5af6
CRs-Fixed: 2196063
This commit is contained in:
Varun Reddy Yeturu
2018-02-27 13:46:11 -08:00
committed by Nitesh Shrivastav
parent f06d9e3c0f
commit e6f8be37e2
1 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
wmi_unified_tlv.c
View File

@@ -2600,6 +2600,7 @@ static QDF_STATUS send_scan_start_cmd_tlv(wmi_unified_t wmi_handle,
uint8_t extraie_len_with_pad = 0; uint8_t extraie_len_with_pad = 0;
uint8_t phymode_roundup = 0; uint8_t phymode_roundup = 0;
struct probe_req_whitelist_attr *ie_whitelist = &params->ie_whitelist; struct probe_req_whitelist_attr *ie_whitelist = &params->ie_whitelist;
wmi_unified_t pdev_wmi_handle;
/* Length TLV placeholder for array of uint32_t */ /* Length TLV placeholder for array of uint32_t */
len += WMI_TLV_HDR_SIZE; len += WMI_TLV_HDR_SIZE;
@@ -2763,9 +2764,14 @@ static QDF_STATUS send_scan_start_cmd_tlv(wmi_unified_t wmi_handle,
WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_BYTE, 0); WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_BYTE, 0);
} }
ret = wmi_unified_cmd_send( pdev_wmi_handle = get_pdev_wmi_handle(wmi_handle, cmd->vdev_id);
get_pdev_wmi_handle(wmi_handle, cmd->vdev_id), wmi_buf, if (pdev_wmi_handle == NULL) {
len, WMI_START_SCAN_CMDID); WMI_LOGE("%s: Invalid PDEV WMI handle", __func__);
goto error;
}
ret = wmi_unified_cmd_send(pdev_wmi_handle, wmi_buf,
len, WMI_START_SCAN_CMDID);
if (ret) { if (ret) {
WMI_LOGE("%s: Failed to start scan: %d", __func__, ret); WMI_LOGE("%s: Failed to start scan: %d", __func__, ret);
wmi_buf_free(wmi_buf); wmi_buf_free(wmi_buf);
@@ -2790,6 +2796,7 @@ static QDF_STATUS send_scan_stop_cmd_tlv(wmi_unified_t wmi_handle,
int ret; int ret;
int len = sizeof(*cmd); int len = sizeof(*cmd);
wmi_buf_t wmi_buf; wmi_buf_t wmi_buf;
wmi_unified_t pdev_wmi_handle;
/* Allocate the memory */ /* Allocate the memory */
wmi_buf = wmi_buf_alloc(wmi_handle, len); wmi_buf = wmi_buf_alloc(wmi_handle, len);
@@ -2825,8 +2832,15 @@ static QDF_STATUS send_scan_stop_cmd_tlv(wmi_unified_t wmi_handle,
return QDF_STATUS_E_INVAL; return QDF_STATUS_E_INVAL;
} }
ret = wmi_unified_cmd_send(get_pdev_wmi_handle(wmi_handle, cmd->vdev_id), wmi_buf, pdev_wmi_handle = get_pdev_wmi_handle(wmi_handle, cmd->vdev_id);
len, WMI_STOP_SCAN_CMDID); if (pdev_wmi_handle == NULL) {
WMI_LOGE("%s: Invalid PDEV WMI handle", __func__);
wmi_buf_free(wmi_buf);
return QDF_STATUS_E_NULL_VALUE;
}
ret = wmi_unified_cmd_send(pdev_wmi_handle, wmi_buf,
len, WMI_STOP_SCAN_CMDID);
if (ret) { if (ret) {
WMI_LOGE("%s: Failed to send stop scan: %d", __func__, ret); WMI_LOGE("%s: Failed to send stop scan: %d", __func__, ret);
wmi_buf_free(wmi_buf); wmi_buf_free(wmi_buf);
@@ -16657,7 +16671,7 @@ static QDF_STATUS send_power_dbg_cmd_tlv(wmi_unified_t wmi_handle,
(param->num_args * sizeof(uint32_t))); (param->num_args * sizeof(uint32_t)));
cmd_args = (uint32_t *) (buf_ptr + WMI_TLV_HDR_SIZE); cmd_args = (uint32_t *) (buf_ptr + WMI_TLV_HDR_SIZE);
WMI_LOGI("%s: %d num of args = ", __func__, param->num_args); WMI_LOGI("%s: %d num of args = ", __func__, param->num_args);
for (i = 0; (i < param->num_args && i < WMI_UNIT_TEST_MAX_NUM_ARGS); i++) { for (i = 0; (i < param->num_args && i < WMI_MAX_POWER_DBG_ARGS); i++) {
cmd_args[i] = param->args[i]; cmd_args[i] = param->args[i];
WMI_LOGI("%d,", param->args[i]); WMI_LOGI("%d,", param->args[i]);
} }