qcacld-3.0: Fix off by one access to WMA->interface
Fix vdev_id validation at wma. Currently validation for vdev_id which is an index to wma->interface array is off by 1. Change-Id: I01fa048af08f76244896ae1ca4c53c61c1c60397 CRs-Fixed: 2057505
This commit is contained in:
Naveen Rawat
@@ -2307,7 +2307,7 @@ void wma_vdev_update_pause_bitmap(uint8_t vdev_id, uint16_t value)
|
|||||||
tp_wma_handle wma = (tp_wma_handle)cds_get_context(QDF_MODULE_ID_WMA);
|
tp_wma_handle wma = (tp_wma_handle)cds_get_context(QDF_MODULE_ID_WMA);
|
||||||
struct wma_txrx_node *iface;
|
struct wma_txrx_node *iface;
|
||||||
|
|
||||||
if (vdev_id > wma->max_bssid) {
|
if (vdev_id >= wma->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id: %d", __func__, vdev_id);
|
WMA_LOGE("%s: Invalid vdev_id: %d", __func__, vdev_id);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -423,7 +423,7 @@ struct cdp_vdev *wma_find_vdev_by_addr(tp_wma_handle wma, uint8_t *addr,
|
|||||||
static inline
|
static inline
|
||||||
struct cdp_vdev *wma_find_vdev_by_id(tp_wma_handle wma, uint8_t vdev_id)
|
struct cdp_vdev *wma_find_vdev_by_id(tp_wma_handle wma, uint8_t vdev_id)
|
||||||
{
|
{
|
||||||
if (vdev_id > wma->max_bssid)
|
if (vdev_id >= wma->max_bssid)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
return wma->interfaces[vdev_id].handle;
|
return wma->interfaces[vdev_id].handle;
|
||||||
|
|||||||
@@ -118,7 +118,7 @@ bool wma_is_vdev_in_ap_mode(tp_wma_handle wma, uint8_t vdev_id)
|
|||||||
{
|
{
|
||||||
struct wma_txrx_node *intf = wma->interfaces;
|
struct wma_txrx_node *intf = wma->interfaces;
|
||||||
|
|
||||||
if (vdev_id > wma->max_bssid) {
|
if (vdev_id >= wma->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id %hu", __func__, vdev_id);
|
WMA_LOGE("%s: Invalid vdev_id %hu", __func__, vdev_id);
|
||||||
QDF_ASSERT(0);
|
QDF_ASSERT(0);
|
||||||
return false;
|
return false;
|
||||||
@@ -147,7 +147,7 @@ bool wma_is_vdev_in_ibss_mode(tp_wma_handle wma, uint8_t vdev_id)
|
|||||||
{
|
{
|
||||||
struct wma_txrx_node *intf = wma->interfaces;
|
struct wma_txrx_node *intf = wma->interfaces;
|
||||||
|
|
||||||
if (vdev_id > wma->max_bssid) {
|
if (vdev_id >= wma->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id %hu", __func__, vdev_id);
|
WMA_LOGE("%s: Invalid vdev_id %hu", __func__, vdev_id);
|
||||||
QDF_ASSERT(0);
|
QDF_ASSERT(0);
|
||||||
return false;
|
return false;
|
||||||
@@ -976,7 +976,7 @@ int wma_vdev_start_resp_handler(void *handle, uint8_t *cmd_param_info,
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((resp_event->vdev_id <= wma->max_bssid) &&
|
if ((resp_event->vdev_id < wma->max_bssid) &&
|
||||||
(qdf_atomic_read(
|
(qdf_atomic_read(
|
||||||
&wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress))
|
&wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress))
|
||||||
&& (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)) {
|
&& (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)) {
|
||||||
@@ -1750,7 +1750,7 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info,
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((resp_event->vdev_id <= wma->max_bssid) &&
|
if ((resp_event->vdev_id < wma->max_bssid) &&
|
||||||
(qdf_atomic_read
|
(qdf_atomic_read
|
||||||
(&wma->interfaces[resp_event->vdev_id].vdev_restart_params.
|
(&wma->interfaces[resp_event->vdev_id].vdev_restart_params.
|
||||||
hidden_ssid_restart_in_progress))
|
hidden_ssid_restart_in_progress))
|
||||||
@@ -1790,7 +1790,7 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info,
|
|||||||
tpDeleteBssParams params =
|
tpDeleteBssParams params =
|
||||||
(tpDeleteBssParams) req_msg->user_data;
|
(tpDeleteBssParams) req_msg->user_data;
|
||||||
|
|
||||||
if (resp_event->vdev_id > wma->max_bssid) {
|
if (resp_event->vdev_id >= wma->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id %d", __func__,
|
WMA_LOGE("%s: Invalid vdev_id %d", __func__,
|
||||||
resp_event->vdev_id);
|
resp_event->vdev_id);
|
||||||
}
|
}
|
||||||
@@ -2893,7 +2893,7 @@ void wma_vdev_resp_timer(void *data)
|
|||||||
struct beacon_info *bcn;
|
struct beacon_info *bcn;
|
||||||
struct wma_txrx_node *iface;
|
struct wma_txrx_node *iface;
|
||||||
|
|
||||||
if (tgt_req->vdev_id > wma->max_bssid) {
|
if (tgt_req->vdev_id >= wma->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id %d", __func__,
|
WMA_LOGE("%s: Invalid vdev_id %d", __func__,
|
||||||
tgt_req->vdev_id);
|
tgt_req->vdev_id);
|
||||||
wma_cleanup_target_req_param(tgt_req);
|
wma_cleanup_target_req_param(tgt_req);
|
||||||
|
|||||||
@@ -533,7 +533,7 @@ QDF_STATUS wma_start_scan(tp_wma_handle wma_handle,
|
|||||||
struct scan_req_params cmd = {0};
|
struct scan_req_params cmd = {0};
|
||||||
tSirScanOffloadEvent *scan_event;
|
tSirScanOffloadEvent *scan_event;
|
||||||
|
|
||||||
if (scan_req->sessionId > wma_handle->max_bssid) {
|
if (scan_req->sessionId >= wma_handle->max_bssid) {
|
||||||
WMA_LOGE("%s: Invalid vdev_id %d, msg_type : 0x%x", __func__,
|
WMA_LOGE("%s: Invalid vdev_id %d, msg_type : 0x%x", __func__,
|
||||||
scan_req->sessionId, msg_type);
|
scan_req->sessionId, msg_type);
|
||||||
goto error1;
|
goto error1;
|
||||||
|
|||||||
Reference in New Issue
Block a user