summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAbhinav Kumar <abhikuma@codeaurora.org>2018-06-26 19:06:56 +0530
committernshrivas <nshrivas@codeaurora.org>2018-07-02 11:20:11 -0700
commitf3c2bca2be7dd27ffe1d9010cde45d573f3e4d2e (patch)
tree5c231a770a5f00acf579913814b440908c459395
parent231972bcce3e63fccbd685632dec138f4c2c1f48 (diff)
qcacld-3.0: Validate sessionId before use in csr_roam_substate_change
csr_roam_set_bss_config_cfg invokes csr_roam_substate_change with sessionId as one argument to change roam substate. In csr_roam_substate_change, sessionId is uses as index of array curSubState of max allowed index CSR_ROAM_SESSION_MAX(5). But there is no any check present in csr_roam_substate_change to validate sessionId against maximum allowed concurrent sessions. This results Out-of-Bound access if sessionId >= CSR_ROAM_SESSION_MAX. Add check for sessionId against CSR_ROAM_SESSION_MAX in csr_roam_substate_change. Change-Id: Iae7da836001a9ccbec77cdc64df27b259f15bf4e CRs-Fixed: 2268547
Diffstat
-rw-r--r--core/sme/src/csr/csr_api_roam.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c
index cc358fa94774..77e5a1f03f55 100644
--- a/core/sme/src/csr/csr_api_roam.c
+++ b/core/sme/src/csr/csr_api_roam.c
@@ -1644,6 +1644,11 @@ void csr_abort_command(tpAniSirGlobal pMac, tSmeCmd *pCommand, bool fStopping)
void csr_roam_substate_change(tpAniSirGlobal pMac, eCsrRoamSubState NewSubstate,
uint32_t sessionId)
{
+ if (sessionId >= CSR_ROAM_SESSION_MAX) {
+ sme_err("Invalid no of concurrent sessions %d",
+ sessionId);
+ return;
+ }
sme_debug("CSR RoamSubstate: [ %s <== %s ]",
mac_trace_getcsr_roam_sub_state(NewSubstate),
mac_trace_getcsr_roam_sub_state(pMac->roam.
@@ -5367,6 +5372,10 @@ QDF_STATUS csr_roam_set_bss_config_cfg(tpAniSirGlobal pMac, uint32_t sessionId,
uint32_t cfgCb = WNI_CFG_CHANNEL_BONDING_MODE_DISABLE;
uint8_t channel = 0;
tCsrRoamSession *pSession = CSR_GET_SESSION(pMac, sessionId);
+ if (!pSession) {
+ sme_err("session %d not found", sessionId);
+ return QDF_STATUS_E_FAILURE;
+ }
/* Make sure we have the domain info for the BSS we try to connect to.
* Do we need to worry about sequence for OSs that are not Windows??
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-29 14:43:07 +0000