Merge branch 'android-msm-bluecross-4.9-pi-qpr1' into android-msm-bluecross-4.9-pi-qpr2android-9.0.0_r0.73android-msm-crosshatch-4.9-pie-qpr2

APR 2019.3

Bug: 123654997
Change-Id: I8ba68963f1064c9181d3ae2a22dc03152653e29d
Signed-off-by: Maggie White <maggiewhite@google.com>

1 files changed, 20 insertions, 3 deletions

diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 4d8051c160..0788917994 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -9254,6 +9254,7 @@ __wlan_hdd_cfg80211_avoid_freq(struct wiphy *wiphy,
 	uint16_t unsafe_channel_index, local_unsafe_list_count;
 	tHddAvoidFreqList *channel_list;
 	enum tQDF_GLOBAL_CON_MODE curr_mode;
+	uint8_t num_args = 0;
 
 	ENTER_DEV(wdev->netdev);
 
@@ -9271,11 +9272,27 @@ __wlan_hdd_cfg80211_avoid_freq(struct wiphy *wiphy,
 	ret = wlan_hdd_validate_context(hdd_ctx);
 	if (0 != ret)
 		return ret;
+	if (!data || data_len < (sizeof(channel_list->avoidFreqRangeCount) +
+				 sizeof(tHddAvoidFreqRange))) {
+		hdd_err("Avoid frequency channel list empty");
+		return -EINVAL;
+	}
+	num_args = (data_len - sizeof(channel_list->avoidFreqRangeCount)) /
+		sizeof(channel_list->avoidFreqRange[0].startFreq);
+
+	if (num_args < 2 || num_args > HDD_MAX_AVOID_FREQ_RANGES * 2 ||
+	    num_args % 2 != 0) {
+		hdd_err("Invalid avoid frequency channel list");
+		return -EINVAL;
+	}
 
 	channel_list = (tHddAvoidFreqList *)data;
-	if (!channel_list) {
-		hdd_log(QDF_TRACE_LEVEL_ERROR,
-			"Avoid frequency channel list empty");
+
+	if (channel_list->avoidFreqRangeCount == 0 ||
+	    channel_list->avoidFreqRangeCount > HDD_MAX_AVOID_FREQ_RANGES ||
+	    2 * channel_list->avoidFreqRangeCount != num_args) {
+		hdd_err("Invalid frequency range count %d",
+			channel_list->avoidFreqRangeCount);
 		return -EINVAL;
 	}