From 613f91ebcd0838c2c2bec3657e36dd57fcc6a7ea Mon Sep 17 00:00:00 2001 From: Sridhar Selvaraj Date: Wed, 12 Jul 2017 11:12:19 +0530 Subject: qcacld-2.0: Add bound check for numap to avoid integer overflow Currently, numap is int and is assigned with a uint32 value from fw which might lead to integer overflow. Also, when multiplying the uint32 value with sizeof dest_ap could lead to int overflow if the value of numap is close to uint32's maximum limit. Fix/Modify numap to uint32 to be in sync with value from fw cmd. Also add check to trim down numap value to max (10) if value is greater than max (10). Change-Id: I060f585c8c951807cd32b5eec75c1bad2e84a75b CRs-Fixed: 2067820 --- CORE/SERVICES/WMA/wma.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index df9ca4812148..0beb814f45eb 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -291,6 +291,12 @@ enum extscan_report_events_type { #define WMA_EXTSCAN_CYCLE_WAKE_LOCK_DURATION (5 * 1000) /* in msec */ +/* + * Maximum number of entires that could be present in the + * WMI_EXTSCAN_HOTLIST_MATCH_EVENT buffer from the firmware + */ +#define WMA_EXTSCAN_MAX_HOTLIST_ENTRIES 10 + #endif /* Data rate 100KBPS based on IE Index */ @@ -4242,7 +4248,8 @@ static int wma_extscan_hotlist_match_event_handler(void *handle, struct extscan_hotlist_match *dest_hotlist; tSirWifiScanResult *dest_ap; wmi_extscan_wlan_descriptor *src_hotlist; - int numap, j, ap_found = 0; + uint32_t numap; + int j, ap_found = 0; tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context( VOS_MODULE_ID_PE, wma->vos_context); @@ -4268,6 +4275,11 @@ static int wma_extscan_hotlist_match_event_handler(void *handle, WMA_LOGE("%s: Hotlist AP's list invalid", __func__); return -EINVAL; } + if (numap > WMA_EXTSCAN_MAX_HOTLIST_ENTRIES) { + WMA_LOGE("%s: Total Entries %u greater than max", + __func__, numap); + numap = WMA_EXTSCAN_MAX_HOTLIST_ENTRIES; + } dest_hotlist = vos_mem_malloc(sizeof(*dest_hotlist) + sizeof(*dest_ap) * numap); if (!dest_hotlist) { -- cgit v1.2.3