summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVarun Reddy Yeturu <varunreddy.yeturu@codeaurora.org>2017-09-27 20:38:39 -0700
committersnandini <snandini@codeaurora.org>2017-09-29 18:04:05 -0700
commit7219078a23ec3bf101fd074f7243f7da3dc44031 (patch)
treed0e8bb96ea0765eeef8bf4e54df4e49c45ef0603
parent2dcb3d001fe51aa75272aa5ed75695ef4dd859a7 (diff)
qcacld-3.0: Avoid int overflow in wma_unified_link_radio_stats_event_handler
Check for the validity of the number of channels passed in the radio stats event received from firmware to ensure an integer overflow does not happen. Change-Id: Idf5738a40139aafad4de422965dc4ff3d0e53a32 CRs-Fixed: 2114426
-rw-r--r--core/wma/src/wma_utils.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index 4ee66cf728c8..2fa35ff09a5f 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -67,6 +67,7 @@
#include "cds_concurrency.h"
#include "wmi_unified_param.h"
#include "linux/ieee80211.h"
+#include "cds_reg_service.h"
/* MCS Based rate table */
/* HT MCS parameters with Nss = 1 */
@@ -1535,9 +1536,21 @@ static int wma_unified_link_radio_stats_event_handler(void *handle,
WMA_LOGA("%s: Invalid param_tlvs for Radio Stats", __func__);
return -EINVAL;
}
+ if (radio_stats->num_channels >
+ (NUM_24GHZ_CHANNELS + NUM_5GHZ_CHANNELS)) {
+ WMA_LOGE("%s: Too many channels %d",
+ __func__, radio_stats->num_channels);
+ return -EINVAL;
+ }
radio_stats_size = sizeof(tSirWifiRadioStat);
chan_stats_size = sizeof(tSirWifiChannelStats);
+ if (fixed_param->num_radio >
+ (UINT_MAX - sizeof(*link_stats_results))/radio_stats_size) {
+ WMA_LOGE("excess num_radio %d is leading to int overflow",
+ fixed_param->num_radio);
+ return -EINVAL;
+ }
link_stats_results_size = sizeof(*link_stats_results) +
fixed_param->num_radio * radio_stats_size;