summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVignesh Viswanathan <viswanat@codeaurora.org>2018-01-25 17:04:46 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>2018-01-28 22:04:29 -0800
commita67fee043d7459b1c09033b4ca24c41fab5ea4a9 (patch)
tree3b13955f16188b223e0eaa8234a07b435cbe3ca7
parent3228b553b4e7a1a0815b703d0d028ca5115a60d9 (diff)
qcacld-3.0: Fix OOB write in WMA TX power level stats handler
In function wma_unified_radio_tx_power_level_stats_event_handler, radio_id is received from the FW in the fixed_param strcutre and is used to access the buffer wma_handle->link_stats_results which is allocated in wma_unified_link_radio_stats_event_handler. The buffer is allocated for link_stats_results->num_radio and if the radio_id received from the FW is greater than link_stats_results->num_radio, an OOB write will occur in wma_unified_radio_tx_power_level_stats_event_handler. Add check to return failure if radio_id received from the FW is greater than link_stats_results->num_radio. Change-Id: I67a848e7ab137d46bb43e7336ff8135da257568c CRs-Fixed: 2169104
-rw-r--r--core/wma/src/wma_utils.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index 534b51794644..7a6385d60a39 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -1471,6 +1471,8 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle,
uint8_t *tx_power_level_values;
tSirLLStatsResults *link_stats_results;
tSirWifiRadioStat *rs_results;
+ uint32_t max_total_num_tx_power_levels = MAX_TPC_LEVELS * NUM_OF_BANDS *
+ MAX_SPATIAL_STREAM_ANY_V3;
tpAniSirGlobal mac = cds_get_context(QDF_MODULE_ID_PE);
@@ -1520,6 +1522,20 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle,
return -EINVAL;
}
+ if (fixed_param->radio_id > link_stats_results->num_radio) {
+ WMA_LOGD("%s: Invalid radio_id %d num_radio %d",
+ __func__, fixed_param->radio_id,
+ link_stats_results->num_radio);
+ return -EINVAL;
+ }
+
+ if (fixed_param->total_num_tx_power_levels >
+ max_total_num_tx_power_levels) {
+ WMA_LOGD("Invalid total_num_tx_power_levels %d",
+ fixed_param->total_num_tx_power_levels);
+ return -EINVAL;
+ }
+
rs_results = (tSirWifiRadioStat *) &link_stats_results->results[0] +
fixed_param->radio_id;
tx_power_level_values = (uint8_t *) param_tlvs->tx_time_per_power_level;