diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2018-11-30 22:34:56 -0800 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2018-11-30 22:34:56 -0800 |
| commit | b0bd070f258c8dd977fbd51b36ade7f642aae201 (patch) | |
| tree | 7d929da5b89aa42966a7d891436f827f3ea592b2 | |
| parent | 987334f45b007f0c7e1877f4530df61656aa23b0 (diff) | |
| parent | d05aa97f348fc4e2497008cf9a36c1d2fe129a45 (diff) | |
Merge d05aa97f348fc4e2497008cf9a36c1d2fe129a45 on remote branch
Change-Id: Ibde831a0ed7c68266a669c5a117aa83a90463eba
| -rw-r--r-- | wmi/src/wmi_unified_tlv.c | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 17f45c9abedd..c063136a00bf 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -14723,7 +14723,7 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, uint32_t total_len; struct wmi_roam_scan_stats_res *res; uint32_t i, j; - uint32_t num_scans; + uint32_t num_scans, scan_param_size; *res_param = NULL; *vdev_id = 0xFF; /* Initialize to invalid vdev id */ @@ -14734,11 +14734,17 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, } fixed_param = param_buf->fixed_param; - total_len = sizeof(*res) + fixed_param->num_roam_scans * - sizeof(struct wmi_roam_scan_stats_params); - *vdev_id = fixed_param->vdev_id; num_scans = fixed_param->num_roam_scans; + scan_param_size = sizeof(struct wmi_roam_scan_stats_params); + *vdev_id = fixed_param->vdev_id; + if (num_scans > WMI_ROAM_SCAN_STATS_MAX) { + WMI_LOGE(FL("%u exceeded maximum roam scan stats: %u"), + num_scans, WMI_ROAM_SCAN_STATS_MAX); + return QDF_STATUS_E_INVAL; + } + + total_len = sizeof(*res) + num_scans * scan_param_size; res = qdf_mem_malloc(total_len); if (!res) { @@ -14782,8 +14788,16 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, num_channels = param_buf->num_channels; - for (count = 0; count < param_buf->num_num_channels; count++) + for (count = 0; count < param_buf->num_num_channels; count++) { + if (param_buf->num_channels[count] > + WMI_ROAM_SCAN_STATS_CHANNELS_MAX) { + WMI_LOGE(FL("%u exceeded max scan channels %u"), + param_buf->num_channels[count], + WMI_ROAM_SCAN_STATS_CHANNELS_MAX); + goto error; + } chan_info_sum += param_buf->num_channels[count]; + } if (param_buf->chan_info && param_buf->num_chan_info == chan_info_sum) @@ -14798,8 +14812,16 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, num_roam_candidates = param_buf->num_roam_candidates; for (count = 0; count < param_buf->num_num_roam_candidates; - count++) + count++) { + if (param_buf->num_roam_candidates[count] > + WMI_ROAM_SCAN_STATS_CANDIDATES_MAX) { + WMI_LOGE(FL("%u exceeded max scan cand %u"), + param_buf->num_roam_candidates[count], + WMI_ROAM_SCAN_STATS_CANDIDATES_MAX); + goto error; + } roam_cand_sum += param_buf->num_roam_candidates[count]; + } if (param_buf->bssid && param_buf->num_bssid == roam_cand_sum) @@ -14878,6 +14900,9 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, *res_param = res; return QDF_STATUS_SUCCESS; +error: + qdf_mem_free(res); + return QDF_STATUS_E_FAILURE; } /** |