diff options
| author | Arif Hussain <arifhussain@codeaurora.org> | 2018-09-14 16:52:24 -0700 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-10-04 08:56:28 -0700 |
| commit | ecd09f6b7cf379b5419386b903528fa003ce7649 (patch) | |
| tree | 8e4334fbeedee13c5726849d40f7a83916889d6d | |
| parent | 8869db55328a08480224bf5de4fd262e6f3824c6 (diff) | |
qcacld-3.0: Fix possible OOB in wma_unified_radio_tx_mem_free()
In wma_unified_radio_tx_mem_free() function, results buffer array may be
dereferenced with large index value, that may result OOB memory access.
Fix the same by correcting incrementing pointer to results buffer.
Change-Id: I57a26dba9db32758c7d7fd51b99d3364a8020a9d
CRs-Fixed: 2308644
| -rw-r--r-- | core/wma/src/wma_utils.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index 78135d2812f0..e4006c1b8c8c 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -1431,7 +1431,6 @@ int wma_unified_radio_tx_mem_free(void *handle) rs_results = (tSirWifiRadioStat *) &wma_handle->link_stats_results->results[0]; for (i = 0; i < wma_handle->link_stats_results->num_radio; i++) { - rs_results += i; if (rs_results->tx_time_per_power_level) { qdf_mem_free(rs_results->tx_time_per_power_level); rs_results->tx_time_per_power_level = NULL; @@ -1441,6 +1440,7 @@ int wma_unified_radio_tx_mem_free(void *handle) qdf_mem_free(rs_results->channels); rs_results->channels = NULL; } + rs_results++; } qdf_mem_free(wma_handle->link_stats_results); |