diff options
author | Lihua Liu <lihual@codeaurora.org> | 2018-07-10 20:38:10 +0800 |
---|---|---|
committer | Shirle Yuen <shirleyshukyee@google.com> | 2018-07-30 10:35:50 -0700 |
commit | c57b49c1a613164d65c9e04a31888bc5f4f599bb (patch) | |
tree | c46bf9e163a183b76228453ee97b9616be4946c0 | |
parent | e268b0ace9805de169df3bdb65da31c03d95f214 (diff) | |
download | qcom-msm8x09-v3.10-c57b49c1a613164d65c9e04a31888bc5f4f599bb.tar.gz |
qcacld-2.0: Fix buffer overread in wma_extscan_cached_results_event_handler
qcacld-3.0 to qcacld-2.0 propagation
In function wma_extscan_cached_results_event_handler,
event->num_entries_in_page is received from the FW and is used in the
function wma_extscan_find_unique_scan_ids to calculate scan_ids_cnt
from src_rssi buffer. If the value of num_entries_in_page is greater
than the number of src_rssi buffers present, a buffer overread would
occur in the function wma_extscan_find_unique_scan_ids.
There is already a check in place to valudate num_entries_in_page in
the function wma_extscan_cached_results_event_handler however it is done
after the call of wma_extscan_find_unique_scan_ids.
Move the checks on num_entries_in_page before using it in the function
wma_extscan_cached_results_event_handler
Change-Id: I303c0f7f2f150fe0b96d5473370b9553ae61304d
CRs-Fixed: 2221702
Bug: 111289931
(cherry picked from commit f84cc5ffe5aabab7d0c795a0b8d4f10b5b4a769f)
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 52 |
1 files changed, 23 insertions, 29 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c index 054486dce83..7c4bf80e6ef 100644 --- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c +++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c @@ -4587,7 +4587,7 @@ static int wma_extscan_cached_results_event_handler(void *handle, struct extscan_cached_scan_results empty_cachelist; wmi_extscan_wlan_descriptor *src_hotlist; wmi_extscan_rssi_info *src_rssi; - int numap, i, moredata, scan_ids_cnt; + int i, moredata, scan_ids_cnt; int buf_len; u_int32_t total_len; bool excess_data = false; @@ -4601,7 +4601,7 @@ static int wma_extscan_cached_results_event_handler(void *handle, if (!pMac->sme.pExtScanIndCb) { WMA_LOGE("%s: Callback not registered", __func__); return -EINVAL; - } + } param_buf = (WMI_EXTSCAN_CACHED_RESULTS_EVENTID_param_tlvs *) cmd_param_info; if (!param_buf) { @@ -4612,39 +4612,16 @@ static int wma_extscan_cached_results_event_handler(void *handle, event = param_buf->fixed_param; src_hotlist = param_buf->bssid_list; src_rssi = param_buf->rssi_list; - numap = event->num_entries_in_page; WMA_LOGI("Total_entries: %u first_entry_index: %u num_entries_in_page: %u", - event->total_entries, event->first_entry_index, numap); - if (!src_hotlist || !src_rssi || !numap) { + event->total_entries, event->first_entry_index, event->num_entries_in_page); + if (!src_hotlist || !src_rssi || !event->num_entries_in_page) { WMA_LOGW("%s: Cached results empty, send 0 results", __func__); goto noresults; - } - - if (event->first_entry_index + - event->num_entries_in_page < event->total_entries) - moredata = 1; - else - moredata = 0; - - dest_cachelist = vos_mem_malloc(sizeof(*dest_cachelist)); - if (!dest_cachelist) { - WMA_LOGE("%s: vos_mem_malloc failed", __func__); - return -ENOMEM; } - vos_mem_zero(dest_cachelist, sizeof(*dest_cachelist)); - dest_cachelist->request_id = event->request_id; - dest_cachelist->more_data = moredata; - - scan_ids_cnt = wma_extscan_find_unique_scan_ids(cmd_param_info); - WMA_LOGI("scan_ids_cnt %d", scan_ids_cnt); - dest_cachelist->num_scan_ids = scan_ids_cnt; - if (event->num_entries_in_page > (WMA_SVC_MSG_MAX_SIZE - sizeof(*event))/sizeof(*src_hotlist)) { WMA_LOGE("%s:excess num_entries_in_page %d in WMI event", __func__, event->num_entries_in_page); - vos_mem_free(dest_cachelist); - VOS_ASSERT(0); return -EINVAL; } else { total_len = sizeof(*event) + @@ -4671,11 +4648,28 @@ static int wma_extscan_cached_results_event_handler(void *handle, } if (excess_data) { WMA_LOGE("%s:excess data in WMI event", __func__); - vos_mem_free(dest_cachelist); - VOS_ASSERT(0); return -EINVAL; } + if (event->first_entry_index + + event->num_entries_in_page < event->total_entries) + moredata = 1; + else + moredata = 0; + + dest_cachelist = vos_mem_malloc(sizeof(*dest_cachelist)); + if (!dest_cachelist) { + WMA_LOGE("%s: vos_mem_malloc failed", __func__); + return -ENOMEM; + } + vos_mem_zero(dest_cachelist, sizeof(*dest_cachelist)); + dest_cachelist->request_id = event->request_id; + dest_cachelist->more_data = moredata; + + scan_ids_cnt = wma_extscan_find_unique_scan_ids(cmd_param_info); + WMA_LOGD("scan_ids_cnt %d", scan_ids_cnt); + dest_cachelist->num_scan_ids = scan_ids_cnt; + buf_len = sizeof(*dest_result) * scan_ids_cnt; dest_cachelist->result = vos_mem_malloc(buf_len); if (!dest_cachelist->result) { |