diff options
| author | Arif Hussain <arifhussain@codeaurora.org> | 2018-09-14 16:52:24 -0700 |
|---|---|---|
| committer | Les Lee <lesl@google.com> | 2019-07-04 09:36:09 +0000 |
| commit | 5891b00885f87ec30c4682d9fc83c07ee2003877 (patch) | |
| tree | bfa6882b6d311eea3b12c1eb523ef4175dfe54ac | |
| parent | b0ef98dff22c353d1f451dc9dcb53cb1b067c10e (diff) | |
| download | qcacld-5891b00885f87ec30c4682d9fc83c07ee2003877.tar.gz | |
qcacld-3.0: Fix possible OOB in wma_unified_radio_tx_mem_free()android-q-preview-6_r0.6android-q-preview-6_r0.4android-10.0.0_r0.4android-10.0.0_r0.3android-10.0.0_r0.20android-10.0.0_r0.19android-10.0.0_r0.12android-10.0.0_r0.10android-msm-crosshatch-4.9-q-preview-6android-msm-crosshatch-4.9-android10-releaseandroid-msm-bonito-4.9-q-preview-6android-msm-bonito-4.9-android10-release
In wma_unified_radio_tx_mem_free() function, results buffer array may be
dereferenced with large index value, that may result OOB memory access.
Fix the same by correcting incrementing pointer to results buffer.
Change-Id: I57a26dba9db32758c7d7fd51b99d3364a8020a9d
CRs-Fixed: 2308644
Bug: 136197213
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | core/wma/src/wma_utils.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index 02eea17fa6..7bfd3a4c5a 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -1437,7 +1437,6 @@ int wma_unified_radio_tx_mem_free(void *handle) rs_results = (tSirWifiRadioStat *) &wma_handle->link_stats_results->results[0]; for (i = 0; i < wma_handle->link_stats_results->num_radio; i++) { - rs_results += i; if (rs_results->tx_time_per_power_level) { qdf_mem_free(rs_results->tx_time_per_power_level); rs_results->tx_time_per_power_level = NULL; @@ -1447,6 +1446,7 @@ int wma_unified_radio_tx_mem_free(void *handle) qdf_mem_free(rs_results->channels); rs_results->channels = NULL; } + rs_results++; } qdf_mem_free(wma_handle->link_stats_results); |