diff options
| author | Jianmin Zhu <quic_jianminz@quicinc.com> | 2021-12-27 20:11:54 +0800 |
|---|---|---|
| committer | Alexander Grund <flamefire89@gmail.com> | 2023-12-31 19:03:32 +0100 |
| commit | 2940437216a5097c20ff7a4aa9084b14fd7e29bc (patch) | |
| tree | 319e32780f763422ed6af4e285f2577df2c36ac4 | |
| parent | 003f2026ba356ff7985c2e543bbfbd210e2215c7 (diff) | |
qcacld-3.0: Avoid possible array OOB
Add bound check before access array to avoid out of bound issue.
Separate array bound and duplicate check of 11a and 11b since they have
different length and type.
Change-Id: Icb9382cd42385339532518759de0f6137c5203bd
CRs-Fixed: 3051517
| -rw-r--r-- | drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c | 60 |
1 files changed, 31 insertions, 29 deletions
diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c index 5ac4c6f80577..4139b5d1bc2e 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c +++ b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_assoc_utils.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved. + * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -1653,7 +1654,7 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac, { tSirMacRateSet tempRateSet; tSirMacRateSet tempRateSet2; - uint32_t i, j, val, min, isArate = 0; + uint32_t i, j, val, min; uint8_t aRateIndex = 0; uint8_t bRateIndex = 0; @@ -1713,39 +1714,40 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac, min = j; } } - if (sirIsArate(tempRateSet.rate[min] & 0x7f)) { - isArate = 1; + /* + * HAL needs to know whether the rate is basic rate or not, as it needs to + * update the response rate table accordingly. e.g. if one of the 11a rates is + * basic rate, then that rate can be used for sending control frames. + * HAL updates the response rate table whenever basic rate set is changed. + */ + if (basicOnly && !(tempRateSet.rate[min] & 0x80)) { + pe_debug("Invalid basic rate"); + } else if (sirIsArate(tempRateSet.rate[min] & 0x7f)) { + if (aRateIndex >= SIR_NUM_11A_RATES) { + pe_debug("OOB, aRateIndex: %d", aRateIndex); + } else if (aRateIndex >= 1 && (tempRateSet.rate[min] == + pRates->llaRates[aRateIndex - 1])) { + pe_debug("Duplicate 11a rate: %d", + tempRateSet.rate[min]); + } else { + pRates->llaRates[aRateIndex++] = + tempRateSet.rate[min]; + } } else if (sirIsBrate(tempRateSet.rate[min] & 0x7f)) { - isArate = 0; + if (bRateIndex >= SIR_NUM_11B_RATES) { + pe_debug("OOB, bRateIndex: %d", bRateIndex); + } else if (bRateIndex >= 1 && (tempRateSet.rate[min] == + pRates->llbRates[bRateIndex - 1])) { + pe_debug("Duplicate 11b rate: %d", + tempRateSet.rate[min]); + } else { + pRates->llbRates[bRateIndex++] = + tempRateSet.rate[min]; + } } else { pe_debug("%d is neither 11a nor 11b rate", tempRateSet.rate[min]); - tempRateSet.rate[min] = 0xff; - continue; - } - if (tempRateSet.rate[min] == pRates->llaRates[aRateIndex] || - tempRateSet.rate[min] == pRates->llbRates[bRateIndex]) { - pe_debug("Duplicate rate: %d", tempRateSet.rate[min]); - tempRateSet.rate[min] = 0xff; - continue; - } - /* - * HAL needs to know whether the rate is basic rate or not, - * as it needs to update the response rate table accordingly. - * e.g. if one of the 11a rates is basic rate, then that rate - * can be used for sending control frames. HAL updates the - * response rate table whenever basic rate set is changed. - */ - if (basicOnly && !(tempRateSet.rate[min] & 0x80)) { - tempRateSet.rate[min] = 0xff; - continue; } - if (isArate && aRateIndex < SIR_NUM_11A_RATES) - pRates->llaRates[aRateIndex++] = - tempRateSet.rate[min]; - else if (bRateIndex < SIR_NUM_11B_RATES) - pRates->llbRates[bRateIndex++] = - tempRateSet.rate[min]; tempRateSet.rate[min] = 0xff; } |