qcacld-3.0: OOB access may occur due to total numChannels exceeds max value

Out of Buffer access may occur in wmi_get_buf_extscan_start_cmd() function if user provided inputs are different for below parameters which are assigned in hdd_extscan_start_fill_bucket_channel_spec() function 1. QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS 2. QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC To address this issue return failure status if numChannels is not equal to the total number of channel entries. Change-Id: I60d74161dc3752bd7f609af3910d7c86a99488ec CRs-Fixed: 2255189
author: Dundi Raviteja <dundi@codeaurora.org> 2018-06-12 18:31:43 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-06-15 05:14:26 -0700
commit: 0d3515d22a763998e62f5cc10afe2c7b8d58763f (patch)
tree: 3d9c7d14b3d8a4339d7334d4e18f25bb65367dde
parent: ae9dfb3749f31546eef07b615b9b4615ef7bb96f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index dee8cb54cb6d..7f8b1c35ad3b 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
@@ -3042,6 +3042,11 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
 			total_channels++;
 		}
 
+		if (j != req_msg->buckets[bkt_index].numChannels) {
+			hdd_err("Input parameters didn't match");
+			goto fail;
+		}
+
 		hdd_extscan_update_dwell_time_limits(
 					req_msg, bkt_index,
 					min_dwell_time_active_bucket,
author	Dundi Raviteja <dundi@codeaurora.org>	2018-06-12 18:31:43 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-06-15 05:14:26 -0700
commit	0d3515d22a763998e62f5cc10afe2c7b8d58763f (patch)
tree	3d9c7d14b3d8a4339d7334d4e18f25bb65367dde
parent	ae9dfb3749f31546eef07b615b9b4615ef7bb96f (diff)