diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2018-01-25 17:04:46 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-01-28 22:04:29 -0800 |
| commit | a67fee043d7459b1c09033b4ca24c41fab5ea4a9 (patch) | |
| tree | 3b13955f16188b223e0eaa8234a07b435cbe3ca7 | |
| parent | 3228b553b4e7a1a0815b703d0d028ca5115a60d9 (diff) | |
qcacld-3.0: Fix OOB write in WMA TX power level stats handler
In function wma_unified_radio_tx_power_level_stats_event_handler, radio_id
is received from the FW in the fixed_param strcutre and is used to access
the buffer wma_handle->link_stats_results which is allocated in
wma_unified_link_radio_stats_event_handler. The buffer is allocated for
link_stats_results->num_radio and if the radio_id received from the
FW is greater than link_stats_results->num_radio, an OOB write will
occur in wma_unified_radio_tx_power_level_stats_event_handler.
Add check to return failure if radio_id received from the FW is greater
than link_stats_results->num_radio.
Change-Id: I67a848e7ab137d46bb43e7336ff8135da257568c
CRs-Fixed: 2169104
| -rw-r--r-- | core/wma/src/wma_utils.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index 534b51794644..7a6385d60a39 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -1471,6 +1471,8 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle, uint8_t *tx_power_level_values; tSirLLStatsResults *link_stats_results; tSirWifiRadioStat *rs_results; + uint32_t max_total_num_tx_power_levels = MAX_TPC_LEVELS * NUM_OF_BANDS * + MAX_SPATIAL_STREAM_ANY_V3; tpAniSirGlobal mac = cds_get_context(QDF_MODULE_ID_PE); @@ -1520,6 +1522,20 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle, return -EINVAL; } + if (fixed_param->radio_id > link_stats_results->num_radio) { + WMA_LOGD("%s: Invalid radio_id %d num_radio %d", + __func__, fixed_param->radio_id, + link_stats_results->num_radio); + return -EINVAL; + } + + if (fixed_param->total_num_tx_power_levels > + max_total_num_tx_power_levels) { + WMA_LOGD("Invalid total_num_tx_power_levels %d", + fixed_param->total_num_tx_power_levels); + return -EINVAL; + } + rs_results = (tSirWifiRadioStat *) &link_stats_results->results[0] + fixed_param->radio_id; tx_power_level_values = (uint8_t *) param_tlvs->tx_time_per_power_level; |
