diff options
| author | gaurank kathpalia <gkathpal@codeaurora.org> | 2018-05-01 12:35:14 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-05-03 14:09:46 -0700 |
| commit | ac6eb9f2674a38f86c80b82cadd2f4e7fa777588 (patch) | |
| tree | 1e9f843907f2ce1462593a7cf76c07a48269c9d3 | |
| parent | c8e79e30193edf0954a36804f235bafbcb718b0b (diff) | |
qcacld-3.0: Fix OOB write in vdev_mac_map
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
| -rw-r--r-- | core/wma/src/wma_main.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/core/wma/src/wma_main.c b/core/wma/src/wma_main.c index 2d03f3a0ba37..1325d9a00241 100644 --- a/core/wma/src/wma_main.c +++ b/core/wma/src/wma_main.c @@ -3239,7 +3239,13 @@ void wma_process_pdev_hw_mode_trans_ind(void *handle, { uint32_t i; tp_wma_handle wma = (tp_wma_handle) handle; - + if (fixed_param->num_vdev_mac_entries > MAX_VDEV_SUPPORTED) { + WMA_LOGE("Number of Vdev mac entries %d exceeded" + " max vdev supported %d", + fixed_param->num_vdev_mac_entries, + MAX_VDEV_SUPPORTED); + return; + } hw_mode_trans_ind->old_hw_mode_index = fixed_param->old_hw_mode_index; hw_mode_trans_ind->new_hw_mode_index = fixed_param->new_hw_mode_index; hw_mode_trans_ind->num_vdev_mac_entries = |