summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuisen Yang <guiseny@codeaurora.org>2018-10-19 08:39:48 +0800
committerGuisen Yang <guiseny@codeaurora.org>2018-10-19 13:41:32 +0800
commit10938120a4457f494d92d1196165c951ffefcddb (patch)
treeeceed597f4d608c87709050dfe73c1aca5ec4b25
parent479a038e5e347b3cbaaef739d319f8d6ce218337 (diff)
qcacld-2.0: Fix KW update about qcacld-dsrc issue
Fix the OOB issues of some arrays, add NULL pointer check before use. Change-Id: Ifbc54399ed7f60291791c554d0b6396a09fa7bc3 CRs-Fixed: 2277483
Diffstat
-rw-r--r--CORE/MAC/src/pe/rrm/rrmApi.c46
-rw-r--r--CORE/SME/src/sme_common/sme_Api.c55
2 files changed, 50 insertions, 51 deletions
diff --git a/CORE/MAC/src/pe/rrm/rrmApi.c b/CORE/MAC/src/pe/rrm/rrmApi.c
index 5c02cefcfdb5..49cdc9ea5f83 100644
--- a/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -386,29 +386,29 @@ rrmProcessNeighborReportResponse( tpAniSirGlobal pMac,
vos_mem_set(pSmeNeighborRpt, length, 0);
/* Allocated memory for pSmeNeighborRpt...will be freed by other module */
-
- for( i = 0 ; i < pNeighborRep->num_NeighborReport ; i++ )
- {
- pSmeNeighborRpt->sNeighborBssDescription[i].length = sizeof( tSirNeighborBssDescription ); /*+ any optional ies */
- vos_mem_copy(pSmeNeighborRpt->sNeighborBssDescription[i].bssId,
- pNeighborRep->NeighborReport[i].bssid,
- sizeof(tSirMacAddr));
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fApPreauthReachable = pNeighborRep->NeighborReport[i].APReachability;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fSameSecurityMode = pNeighborRep->NeighborReport[i].Security;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fSameAuthenticator = pNeighborRep->NeighborReport[i].KeyScope;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapSpectrumMeasurement = pNeighborRep->NeighborReport[i].SpecMgmtCap;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapQos = pNeighborRep->NeighborReport[i].QosCap;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapApsd = pNeighborRep->NeighborReport[i].apsd;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapRadioMeasurement = pNeighborRep->NeighborReport[i].rrm;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapDelayedBlockAck = pNeighborRep->NeighborReport[i].DelayedBA;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapImmediateBlockAck = pNeighborRep->NeighborReport[i].ImmBA;
- pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fMobilityDomain = pNeighborRep->NeighborReport[i].MobilityDomain;
-
- pSmeNeighborRpt->sNeighborBssDescription[i].regClass = pNeighborRep->NeighborReport[i].regulatoryClass;
- pSmeNeighborRpt->sNeighborBssDescription[i].channel = pNeighborRep->NeighborReport[i].channel;
- pSmeNeighborRpt->sNeighborBssDescription[i].phyType = pNeighborRep->NeighborReport[i].PhyType;
+ if (pNeighborRep->num_NeighborReport <= 1) {
+ for( i = 0 ; i < pNeighborRep->num_NeighborReport ; i++ )
+ {
+ pSmeNeighborRpt->sNeighborBssDescription[i].length = sizeof( tSirNeighborBssDescription ); /*+ any optional ies */
+ vos_mem_copy(pSmeNeighborRpt->sNeighborBssDescription[i].bssId,
+ pNeighborRep->NeighborReport[i].bssid,
+ sizeof(tSirMacAddr));
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fApPreauthReachable = pNeighborRep->NeighborReport[i].APReachability;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fSameSecurityMode = pNeighborRep->NeighborReport[i].Security;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fSameAuthenticator = pNeighborRep->NeighborReport[i].KeyScope;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapSpectrumMeasurement = pNeighborRep->NeighborReport[i].SpecMgmtCap;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapQos = pNeighborRep->NeighborReport[i].QosCap;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapApsd = pNeighborRep->NeighborReport[i].apsd;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapRadioMeasurement = pNeighborRep->NeighborReport[i].rrm;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapDelayedBlockAck = pNeighborRep->NeighborReport[i].DelayedBA;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fCapImmediateBlockAck = pNeighborRep->NeighborReport[i].ImmBA;
+ pSmeNeighborRpt->sNeighborBssDescription[i].bssidInfo.rrmInfo.fMobilityDomain = pNeighborRep->NeighborReport[i].MobilityDomain;
+
+ pSmeNeighborRpt->sNeighborBssDescription[i].regClass = pNeighborRep->NeighborReport[i].regulatoryClass;
+ pSmeNeighborRpt->sNeighborBssDescription[i].channel = pNeighborRep->NeighborReport[i].channel;
+ pSmeNeighborRpt->sNeighborBssDescription[i].phyType = pNeighborRep->NeighborReport[i].PhyType;
+ }
}
-
pSmeNeighborRpt->messageType = eWNI_SME_NEIGHBOR_REPORT_IND;
pSmeNeighborRpt->length = length;
pSmeNeighborRpt->sessionId = pSessionEntry->smeSessionId;
diff --git a/CORE/SME/src/sme_common/sme_Api.c b/CORE/SME/src/sme_common/sme_Api.c
index aee8738d0abc..df4c76cb26a0 100644
--- a/CORE/SME/src/sme_common/sme_Api.c
+++ b/CORE/SME/src/sme_common/sme_Api.c
@@ -1693,37 +1693,36 @@ eHalStatus sme_SetPlmRequest(tHalHandle hHal, tpSirPlmReq pPlmReq)
}
if (pPlmReq->enable) {
-
/* validating channel numbers */
- for (count = 0; count < pPlmReq->plmNumCh; count++) {
-
- ret = csrIsSupportedChannel(pMac, pPlmReq->plmChList[count]);
- if (ret && pPlmReq->plmChList[count] > 14)
- {
- if (NV_CHANNEL_DFS ==
- vos_nv_getChannelEnabledState(pPlmReq->plmChList[count]))
+ if(pPlmReq->plmNumCh < WNI_CFG_VALID_CHANNEL_LIST_LEN) {
+ for (count = 0; count < pPlmReq->plmNumCh; count++) {
+ ret = csrIsSupportedChannel(pMac, pPlmReq->plmChList[count]);
+ if (ret && pPlmReq->plmChList[count] > 14)
{
- /* DFS channel is provided, no PLM bursts can be
- * transmitted. Ignoring these channels.
- */
- VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_INFO,
- "%s DFS channel %d ignored for PLM", __func__,
- pPlmReq->plmChList[count]);
- continue;
+ if (NV_CHANNEL_DFS ==
+ vos_nv_getChannelEnabledState(pPlmReq->plmChList[count]))
+ {
+ /* DFS channel is provided, no PLM bursts can be
+ * transmitted. Ignoring these channels.
+ */
+ VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_INFO,
+ "%s DFS channel %d ignored for PLM", __func__,
+ pPlmReq->plmChList[count]);
+ continue;
+ }
}
- }
- else if (!ret)
- {
- /* Not supported, ignore the channel */
- VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_INFO,
- "%s Unsupported channel %d ignored for PLM",
- __func__, pPlmReq->plmChList[count]);
- continue;
- }
- ch_list[valid_count] = pPlmReq->plmChList[count];
- valid_count++;
- } /* End of for () */
-
+ else if (!ret)
+ {
+ /* Not supported, ignore the channel */
+ VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_INFO,
+ "%s Unsupported channel %d ignored for PLM",
+ __func__, pPlmReq->plmChList[count]);
+ continue;
+ }
+ ch_list[valid_count] = pPlmReq->plmChList[count];
+ valid_count++;
+ } /* End of for () */
+ }
/* Copying back the valid channel list to plm struct */
vos_mem_set((void *)pPlmReq->plmChList, pPlmReq->plmNumCh, 0);
if (valid_count)
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-05 10:46:20 +0000