diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2020-01-08 10:29:19 +0800 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2020-01-08 10:29:19 +0800 |
commit | f73885f5965f9bdb3c636d26a71349c2b0f614c7 (patch) | |
tree | 1551327617dadece9cd84fa7e8d1c1c660d33b41 | |
parent | 5891b00885f87ec30c4682d9fc83c07ee2003877 (diff) | |
download | qcacld-f73885f5965f9bdb3c636d26a71349c2b0f614c7.tar.gz |
qcacld-3.0: Possible OOB write in rrm_process_radio_measurement_request
In case if two measurement requests calls update_rrm_report() twice,
possible out-of-bounds write for the allocated report array, report[]
in rrm_process_radio_measurement_request.
Bug: 147103218
Change-Id: Icc8b7aa14bbcc1219d28025e599c9976a3525bba
CRs-Fixed: 2564485
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 6c351e8d13..3ca467f57b 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -1043,28 +1043,30 @@ tSirRetStatus rrm_process_beacon_req(tpAniSirGlobal mac_ctx, tSirMacAddr peer, */ static tSirRetStatus update_rrm_report(tpAniSirGlobal mac_ctx, - tpSirMacRadioMeasureReport report, + tpSirMacRadioMeasureReport *report, tDot11fRadioMeasurementRequest *rrm_req, uint8_t *num_report, int index) { - if (report == NULL) { + tpSirMacRadioMeasureReport rrm_report; + + if (!*report) { /* * Allocate memory to send reports for * any subsequent requests. */ - report = qdf_mem_malloc(sizeof(*report) * + *report = qdf_mem_malloc(sizeof(tSirMacRadioMeasureReport) * (rrm_req->num_MeasurementRequest - index)); - if (NULL == report) { - pe_err("Unable to allocate memory during RRM Req processing"); + if (!*report) { + pe_err("Fail to alloc mem during RRM Req processing"); return eSIR_MEM_ALLOC_FAILED; } - pe_debug("rrm beacon type incapable of %d report", - *num_report); + pe_debug("rrm beacon type incapable of %d report", *num_report); } - report[*num_report].incapable = 1; - report[*num_report].type = + rrm_report = *report; + rrm_report[*num_report].incapable = 1; + rrm_report[*num_report].type = rrm_req->MeasurementRequest[index].measurement_type; - report[*num_report].token = + rrm_report[*num_report].token = rrm_req->MeasurementRequest[index].measurement_token; (*num_report)++; return eSIR_SUCCESS; @@ -1146,7 +1148,7 @@ rrm_process_radio_measurement_request(tpAniSirGlobal mac_ctx, break; default: /* Send a report with incapabale bit set. */ - status = update_rrm_report(mac_ctx, report, rrm_req, + status = update_rrm_report(mac_ctx, &report, rrm_req, &num_report, i); if (eSIR_SUCCESS != status) return status; |