diff options
| author | Mahesh A Saptasagar <c_msapta@qti.qualcomm.com> | 2016-07-01 15:41:16 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-07-11 00:10:40 -0700 |
| commit | a167bce3dbfe0af863ee6123b02f34454e94de03 (patch) | |
| tree | 40cf7b92ed8a61f2c401f3d636350e485995adea /CORE | |
| parent | a84b91c6fd57f28adc5a59e17b5e78029e991f55 (diff) | |
qcacld-2.0: Fix for potential buffer overflow and null pointer references
prima to qcacld-2.0 propagation
Static analyser is reporting errors for array bound
checking and null pointer references.
To resolve this
1. Check for condition array index shouldn't exceed
WNI_CFG_VALID_CHANNEL_LIST_LEN before accessing
ChannelList array.
2. Check for NULL condition wherever necessary.
Change-Id: Idd0a23a8180dddabfdd353c0861899411aecfa16
CRs-Fixed: 534624
Diffstat (limited to 'CORE')
| -rw-r--r-- | CORE/SME/src/csr/csrNeighborRoam.c | 11 | ||||
| -rw-r--r-- | CORE/SME/src/csr/csrTdlsProcess.c | 6 |
2 files changed, 7 insertions, 10 deletions
diff --git a/CORE/SME/src/csr/csrNeighborRoam.c b/CORE/SME/src/csr/csrNeighborRoam.c index 3a65e325e6b4..6fa7ce23476e 100644 --- a/CORE/SME/src/csr/csrNeighborRoam.c +++ b/CORE/SME/src/csr/csrNeighborRoam.c @@ -4397,6 +4397,9 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac, else { numOfChannels = pMac->scan.occupiedChannels[sessionId].numChannels; + if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) { + numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN; + } if (numOfChannels #ifdef FEATURE_WLAN_LFR && ((pNeighborRoamInfo->uScanMode == SPLIT_SCAN_OCCUPIED_LIST) || @@ -4428,10 +4431,6 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac, } else { - if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) - { - numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN; - } vos_mem_copy(channelList, pMac->scan.occupiedChannels[sessionId].channelList, numOfChannels * sizeof(tANI_U8)); @@ -4466,10 +4465,6 @@ VOS_STATUS csrNeighborRoamTransitToCFGChanScan(tpAniSirGlobal pMac, smsLog(pMac, LOGE, FL("Memory allocation for Channel list failed")); return VOS_STATUS_E_RESOURCES; } - if (numOfChannels > WNI_CFG_VALID_CHANNEL_LIST_LEN) - { - numOfChannels = WNI_CFG_VALID_CHANNEL_LIST_LEN; - } currChannelListInfo->numOfChannels = outputNumOfChannels; vos_mem_copy(currChannelListInfo->ChannelList, scanChannelList, diff --git a/CORE/SME/src/csr/csrTdlsProcess.c b/CORE/SME/src/csr/csrTdlsProcess.c index e76e7e3884b1..f7c2922eefaf 100644 --- a/CORE/SME/src/csr/csrTdlsProcess.c +++ b/CORE/SME/src/csr/csrTdlsProcess.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -149,7 +149,7 @@ eHalStatus csrTdlsSendMgmtReq(tHalHandle hHal, tANI_U8 sessionId, tCsrTdlsSendMg } /* - * TDLS request API, called from HDD to add a TDLS peer + * TDLS request API, called from HDD to modify an existing TDLS peer */ eHalStatus csrTdlsChangePeerSta(tHalHandle hHal, tANI_U8 sessionId, @@ -160,6 +160,8 @@ eHalStatus csrTdlsChangePeerSta(tHalHandle hHal, tSmeCmd *tdlsAddStaCmd ; eHalStatus status = eHAL_STATUS_FAILURE ; + if (NULL == pstaParams) + return status; //If connected and in Infra. Only then allow this if (CSR_IS_SESSION_VALID( pMac, sessionId ) && csrIsConnStateConnectedInfra( pMac, sessionId ) && |