From 1bab281747ee945deddaeebb327b25b76e40f704 Mon Sep 17 00:00:00 2001 From: Himanshu Agarwal Date: Wed, 4 Oct 2017 14:59:52 +0530 Subject: qcacld-3.0: Add sanity check for vdev id to prevent OOB access Add sanity check for vdev id in wma_scan_event_callback() to prevent out of bound access of memory. Change-Id: I2a264029a4d80a5478f786f91923ca26af2db74a CRs-Fixed: 2119399 --- core/wma/src/wma_scan_roam.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 989bb4ded10b..0ccdb8be8e8b 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -6113,6 +6113,11 @@ int wma_scan_event_callback(WMA_HANDLE handle, uint8_t *data, uint8_t vdev_id; uint32_t scan_id; + if (wmi_event->vdev_id >= wma_handle->max_bssid) { + WMA_LOGE("Invalid vdev id from firmware"); + return -EINVAL; + } + param_buf = (WMI_SCAN_EVENTID_param_tlvs *) data; wmi_event = param_buf->fixed_param; vdev_id = wmi_event->vdev_id; -- cgit v1.2.3