diff options
| author | Nachiket Kukade <nkukade@codeaurora.org> | 2018-08-01 15:04:27 +0800 |
|---|---|---|
| committer | Prashanth Swaminathan <prashanthsw@google.com> | 2018-09-02 14:03:34 -0700 |
| commit | 82e642a89b55337396227628311e1e2158ad0c0a (patch) | |
| tree | bf9eb13fa9635a0358781db74f96fea56513d705 | |
| parent | 1d2fafd80a41c975a3c8a74564d29e6adc14004b (diff) | |
| download | qcom-msm-v4.9-82e642a89b55337396227628311e1e2158ad0c0a.tar.gz | |
qcacld-2.0: Add a NULL check on channels in IOCTL SETROAMSCANCHANNELS
qcacld-3.0 to qcacld-2.0 propagation
User sends driver a list of roaming scan channels to set through IOCTL
SETROAMSCANCHANNELS. The parameters include the number of elements in
the array, followed by channel array and then a NULL character. But
when driver loops through the channel array it doesn't have a NULL
check. An erroneous number of elements passed by user may cause buffer
overread.
Add a NULL check on channels passed in IOCTL SETROAMSCANCHANNELS.
Change-Id: I527004d68e6ea76735afa00a7656299cd43eaa1a
CRs-Fixed: 2257064
Test: None
Bug: 111906763
| -rw-r--r-- | techpack/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/techpack/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c b/techpack/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c index 49d983139ad6..eac72d54ee33 100644 --- a/techpack/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c +++ b/techpack/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c @@ -2866,6 +2866,14 @@ hdd_parse_set_roam_scan_channels_v2(hdd_adapter_t *pAdapter, for (i = 0; i < num_chan; i++) { channel = *value++; + if (!channel) { + VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, + "%s: Channels end at index %d, expected %d", + __func__, i, num_chan); + ret = -EINVAL; + goto exit; + } + if (channel > WNI_CFG_CURRENT_CHANNEL_STAMAX) { VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, "%s: index %d invalid channel %d", __func__, i, channel); |