diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2018-04-02 17:15:04 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-04-03 18:01:33 -0700 |
| commit | 4c74687be66c19be0b9bd83d78d033dff5d1a9ae (patch) | |
| tree | 306751611a6e5a90376260e88656631036c64f01 | |
| parent | 367768e3e5e2543659998d6e2246664ad353a296 (diff) | |
qcacld-3.0: Fix OOB write in wma_roam_synch_event_handler
The routine wma_roam_synch_event_handler sends roam indication to the
upper layers. It uses the vdev_id of the synch event to pass the roaming
indication for the vdev session. If the vdevid exceeds the max_bssid
supported, then OOB write occurs in wma_roam_synch_event_handler.
Add check to validate vdev doesnot exceed the maximum bssid configured.
Add check to ensure vdev doesnot exceed max_bssid and return error if
violated.
Change-Id: Ief8b5070fd6cbb375900e2816524dbd946c5238d
CRs-Fixed: 2206569
| -rw-r--r-- | core/wma/src/wma_scan_roam.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index a29696fc225b..542bda7610e7 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -2833,6 +2833,12 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event, goto cleanup_label; } + if (synch_event->vdev_id >= wma->max_bssid) { + WMA_LOGE("%s: received invalid vdev_id %d", + __func__, synch_event->vdev_id); + return status; + } + if (synch_event->bcn_probe_rsp_len > param_buf->num_bcn_probe_rsp_frame || synch_event->reassoc_req_len > @@ -2845,11 +2851,6 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event, synch_event->reassoc_rsp_len); goto cleanup_label; } - if (synch_event->vdev_id >= wma->max_bssid) { - WMA_LOGE("%s: received invalid vdev_id %d", - __func__, synch_event->vdev_id); - goto cleanup_label; - } wma_peer_debug_log(synch_event->vdev_id, DEBUG_ROAM_SYNCH_IND, DEBUG_INVALID_PEER_ID, NULL, NULL, |