diff options
| author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-12-19 17:44:22 +0800 |
|---|---|---|
| committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-05-09 03:16:28 +0000 |
| commit | a51b757fc7eef9e993a93e4d8748a02bc4027599 (patch) | |
| tree | ab18e7a5fae9270554260b5d9240ad9b264b85dd | |
| parent | 9d72a095d4441badfae909ab16ca647bf3a1ff29 (diff) | |
| download | qcacld-android-msm-redbull-4.19-android14-release.tar.gz | |
qcacld-3.0: Add check to avoid potential OOB access for bssid_listandroid-u-qpr1-beta-1_r0.6android-u-beta-5_r0.6android-u-beta-5.3_r0.6android-u-beta-5.2_r0.2android-u-beta-4_r0.6android-14.0.0_r0.47android-14.0.0_r0.12android-14.0.0_r0.1android-msm-redbull-4.19-u-beta5.3android-msm-redbull-4.19-u-beta5.2android-msm-redbull-4.19-u-beta5android-msm-redbull-4.19-u-beta4android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14-qpr1-betaandroid-msm-redbull-4.19-android14
In wma_group_num_bss_to_scan_id(), bssid_list may be accessed out
of boundary.
Add check to avoid potential OOB access for bssid_list.
Bug: 245789946
Test: Regression Test
Change-Id: I218af0fe617f64a50c7c296c622f7fac01e1b4fc
CRs-Fixed: 3357461
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
| -rw-r--r-- | core/wma/src/wma_scan_roam.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 8d5b6c7243..62e64d87f6 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -5168,6 +5168,7 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info, struct extscan_cached_scan_results *t_cached_result; struct extscan_cached_scan_result *t_scan_id_grp; int i, j; + uint32_t total_scan_num_results = 0; tSirWifiScanResult *ap; param_buf = (WMI_EXTSCAN_CACHED_RESULTS_EVENTID_param_tlvs *) @@ -5178,17 +5179,20 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info, t_cached_result = cached_result; t_scan_id_grp = &t_cached_result->result[0]; - if ((t_cached_result->num_scan_ids * - QDF_MIN(t_scan_id_grp->num_results, - param_buf->num_bssid_list)) > param_buf->num_bssid_list) { - WMA_LOGE("%s:num_scan_ids %d, num_results %d num_bssid_list %d", + for (i = 0; i < t_cached_result->num_scan_ids; i++) { + total_scan_num_results += t_scan_id_grp->num_results; + t_scan_id_grp++; + } + + if (total_scan_num_results > param_buf->num_bssid_list) { + WMA_LOGE("%s:total_scan_num_results %d, num_bssid_list %d", __func__, - t_cached_result->num_scan_ids, - t_scan_id_grp->num_results, - param_buf->num_bssid_list); + total_scan_num_results, + param_buf->num_bssid_list); return -EINVAL; } + t_scan_id_grp = &t_cached_result->result[0]; WMA_LOGD("%s: num_scan_ids:%d", __func__, t_cached_result->num_scan_ids); for (i = 0; i < t_cached_result->num_scan_ids; i++) { @@ -5200,8 +5204,7 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info, return -ENOMEM; ap = &t_scan_id_grp->ap[0]; - for (j = 0; j < QDF_MIN(t_scan_id_grp->num_results, - param_buf->num_bssid_list); j++) { + for (j = 0; j < t_scan_id_grp->num_results; j++) { ap->channel = src_hotlist->channel; ap->ts = WMA_MSEC_TO_USEC(src_rssi->tstamp); ap->rtt = src_hotlist->rtt; |