summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHimanshu Agarwal <himanaga@codeaurora.org>2017-10-06 12:40:27 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>2017-10-07 09:55:12 -0700
commitbc9d8db57766fdbd7016bd607cca45c5d450f983 (patch)
treec11b7275b7b00d223c549371d1a8643b81d78291
parentf187a7750e593582509942b96a3739839826e060 (diff)
qcacld-3.0: Add sanity check for vdev id to prevent OOB access
Add sanity check for vdev id in wma_vdev_start_resp_handler() to prevent out of bound memory access. Change-Id: Ia4e18e8e322142928c41dfa88b874ff017727266 CRs-Fixed: 2120424
-rw-r--r--core/wma/src/wma_dev_if.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/core/wma/src/wma_dev_if.c b/core/wma/src/wma_dev_if.c
index 8b06f1c86cb0..b0a9903af9d2 100644
--- a/core/wma/src/wma_dev_if.c
+++ b/core/wma/src/wma_dev_if.c
@@ -944,6 +944,11 @@ int wma_vdev_start_resp_handler(void *handle, uint8_t *cmd_param_info,
return -EINVAL;
}
+ if (resp_event->vdev_id >= wma->max_bssid) {
+ WMA_LOGE("Invalid vdev id received from firmware");
+ return -EINVAL;
+ }
+
if (wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id)) {
qdf_spin_lock_bh(&wma->dfs_ic->chan_lock);
wma->dfs_ic->disable_phy_err_processing = false;