diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2019-11-14 14:19:44 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2020-12-15 04:37:54 -0800 |
| commit | cd93ab9c70da344da3a725147964ff0ea6b3e4aa (patch) | |
| tree | 9e2725804a8a9520ab7e61df200bc367e04628dc | |
| parent | 75fa086a05b5c74f076f36221ab84f50e43f78c3 (diff) | |
qcacld-3.0: Possible OOB write in rrm_process_radio_measurement_request
In case if two measurement requests calls update_rrm_report() twice,
possible out-of-bounds write for the allocated report array, report[]
in rrm_process_radio_measurement_request.
Change-Id: Icc8b7aa14bbcc1219d28025e599c9976a3525bba
CRs-Fixed: 2564485
| -rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 73e1314a670f..00142a4a6f28 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -1139,28 +1139,30 @@ tSirRetStatus rrm_process_beacon_req(tpAniSirGlobal mac_ctx, tSirMacAddr peer, */ static tSirRetStatus update_rrm_report(tpAniSirGlobal mac_ctx, - tpSirMacRadioMeasureReport report, + tpSirMacRadioMeasureReport *report, tDot11fRadioMeasurementRequest *rrm_req, uint8_t *num_report, int index) { - if (report == NULL) { + tpSirMacRadioMeasureReport rrm_report; + + if (!*report) { /* * Allocate memory to send reports for * any subsequent requests. */ - report = qdf_mem_malloc(sizeof(*report) * + *report = qdf_mem_malloc(sizeof(tSirMacRadioMeasureReport) * (rrm_req->num_MeasurementRequest - index)); - if (NULL == report) { - pe_err("Unable to allocate memory during RRM Req processing"); + if (!*report) { + pe_err("Fail to alloc mem during RRM Req processing"); return eSIR_MEM_ALLOC_FAILED; } - pe_debug("rrm beacon type incapable of %d report", - *num_report); + pe_debug("rrm beacon type incapable of %d report", *num_report); } - report[*num_report].incapable = 1; - report[*num_report].type = + rrm_report = *report; + rrm_report[*num_report].incapable = 1; + rrm_report[*num_report].type = rrm_req->MeasurementRequest[index].measurement_type; - report[*num_report].token = + rrm_report[*num_report].token = rrm_req->MeasurementRequest[index].measurement_token; (*num_report)++; return eSIR_SUCCESS; @@ -1242,7 +1244,7 @@ rrm_process_radio_measurement_request(tpAniSirGlobal mac_ctx, break; default: /* Send a report with incapabale bit set. */ - status = update_rrm_report(mac_ctx, report, rrm_req, + status = update_rrm_report(mac_ctx, &report, rrm_req, &num_report, i); if (eSIR_SUCCESS != status) return status; |