diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-02-16 18:09:50 +0530 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-05-05 13:36:50 +0800 |
commit | 8de2c27c419e4a5d0ec6c540c020e0ad00fc1e33 (patch) | |
tree | 5d3cd62dbba4548838be13e7916c9cb475d38b10 | |
parent | 166dff5cd42ac4febdb8966c687e38c3125bf1a9 (diff) | |
download | qca-wfi-host-cmn-android-msm-redbull-4.19-android14-release.tar.gz |
qcacmn: Fix out-of-bounds of src_freqandroid-u-qpr1-beta-1_r0.6android-u-beta-5_r0.6android-u-beta-5.3_r0.6android-u-beta-5.2_r0.2android-u-beta-4_r0.6android-14.0.0_r0.47android-14.0.0_r0.12android-14.0.0_r0.1android-msm-redbull-4.19-u-beta5.3android-msm-redbull-4.19-u-beta5.2android-msm-redbull-4.19-u-beta5android-msm-redbull-4.19-u-beta4android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14-qpr1-betaandroid-msm-redbull-4.19-android14
When handling WMI_ROAM_SCAN_STATS_EVENTID,
the number of channels scanned for each roam trigger is fetched from
wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count),
The total number of channels for all the roam triggers is fetched from
param_buf->num_roam_scan_chan_info.
chan_idx is the index used to fetch the current channel info TLV to be
read. So if wmi_roam_scan_info->roam_scan_channel_count provided by
firmware exceeds the total param_buf->num_roam_scan_chan_info starting
from given chan_idx then OOB access of event buffer can happen.
To avoid this, validate the sum of the current chan_idx and
src_data->roam_scan_channel_count against
evt_buf->num_roam_scan_chan_info.
Bug: 280447263
Test: Regression Test
Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8
CRs-Fixed: 3357714
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | wmi/src/wmi_unified_tlv.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 0a11afc7a..6e016a47a 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -12059,6 +12059,15 @@ extract_roam_scan_stats_tlv(wmi_unified_t wmi_handle, void *evt_buf, dst->num_chan = MAX_ROAM_SCAN_CHAN; src_chan = ¶m_buf->roam_scan_chan_info[chan_idx]; + + if ((dst->num_chan + chan_idx) > + param_buf->num_roam_scan_chan_info) { + wmi_err("Invalid TLV. num_chan %d chan_idx %d num_roam_scan_chan_info %d", + dst->num_chan, chan_idx, + param_buf->num_roam_scan_chan_info); + return QDF_STATUS_SUCCESS; + } + for (i = 0; i < dst->num_chan; i++) { dst->chan_freq[i] = src_chan->channel; src_chan++; @@ -12166,6 +12175,14 @@ extract_roam_11kv_stats_tlv(wmi_unified_t wmi_handle, void *evt_buf, if (dst->num_freq > MAX_ROAM_SCAN_CHAN) dst->num_freq = MAX_ROAM_SCAN_CHAN; + if ((dst->num_freq + rpt_idx) > + param_buf->num_roam_neighbor_report_chan_info) { + wmi_err("Invalid TLV. num_freq %d rpt_idx %d num_roam_neighbor_report_chan_info %d", + dst->num_freq, rpt_idx, + param_buf->num_roam_scan_chan_info); + return QDF_STATUS_SUCCESS; + } + for (i = 0; i < dst->num_freq; i++) { dst->freq[i] = src_freq->channel; src_freq++; |