lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix channel avoid frequency list corruption

Browse Source 
In wlan_hdd_merge_avoid_freqs() there is a test to determine if the
merged frequency list will exceed the size of the destination buffer,
and if so, the function returns an error. Unfortunately the method to
determine overflow actually modifies the information in the
destination list, and so if the error return occurs the destination
list will contain an incorrect, too large, destination list size.
Address this issue by determining if the list will overflow prior to
modifying the destination list size.

Change-Id: I9ede0bc24c676d6a9ef124d83c36ca9860b847f7
CRs-Fixed: 2410138
This commit is contained in:
Jeff Johnson 2019-03-05 14:48:42 -08:00 committed by nshrivas
parent c047d29ff2
commit 62f2899348
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/hdd/src/wlan_hdd_cfg80211.c
View File

@ -860,14 +860,16 @@ int wlan_hdd_merge_avoid_freqs(struct ch_avoid_ind_type *destFreqList,
struct ch_avoid_ind_type *srcFreqList)
{
int i;
uint32_t room;
struct ch_avoid_freq_type *avoid_range =
&destFreqList->avoid_freq_range[destFreqList->ch_avoid_range_cnt];
destFreqList->ch_avoid_range_cnt += srcFreqList->ch_avoid_range_cnt;
if (destFreqList->ch_avoid_range_cnt > CH_AVOID_MAX_RANGE) {
room = CH_AVOID_MAX_RANGE - destFreqList->ch_avoid_range_cnt;
if (srcFreqList->ch_avoid_range_cnt > room) {
hdd_err("avoid freq overflow");
return -EINVAL;
}
destFreqList->ch_avoid_range_cnt += srcFreqList->ch_avoid_range_cnt;
for (i = 0; i < srcFreqList->ch_avoid_range_cnt; i++) {
avoid_range->start_freq =