qcacmn: Possible Out of bound read in policy_mgr_get_channel_list
To prepare the channel list suggestion for a new connection, policy_mgr_get_channel_list invokes policy_mgr_get_valid_chans to get the number of valid channels. Driver uses returned num channel and iterates channel list to divide the list into 2.4 & 5 GHz lists. In case if, num of valid channel returned by policy_mgr_get_valid_chans is greater than the maximum number of channel supported in the channel list, QDF_MAX_NUM_CHAN(128), possible OOB read occurs. Validate the value of chan_index of channel list in policy_mgr_get_channel_list against the maximum number of channels supported in the channel list. Change-Id: I6beb9231aaef491731557434d1ae210ac0bdb036 CRs-Fixed: 2346125
This commit is contained in:
Abhinav Kumar
nshrivas
parent
2a4e082ad7
commit
862a3441de
@ -1972,6 +1972,7 @@ QDF_STATUS policy_mgr_get_channel_list(struct wlan_objmgr_psoc *psoc,
|
|||||||
}
|
}
|
||||||
|
|
||||||
while ((chan_index < num_channels) &&
|
while ((chan_index < num_channels) &&
|
||||||
|
(chan_index < QDF_MAX_NUM_CHAN) &&
|
||||||
(chan_index_5 < QDF_MAX_NUM_CHAN)) {
|
(chan_index_5 < QDF_MAX_NUM_CHAN)) {
|
||||||
if ((true == skip_dfs_channel) &&
|
if ((true == skip_dfs_channel) &&
|
||||||
wlan_reg_is_dfs_ch(pm_ctx->pdev,
|
wlan_reg_is_dfs_ch(pm_ctx->pdev,
|
||||||
@ -3090,7 +3091,7 @@ void policy_mgr_init_sap_mandatory_2g_chan(struct wlan_objmgr_psoc *psoc)
|
|||||||
}
|
}
|
||||||
pm_ctx->sap_mandatory_channels_len = 0;
|
pm_ctx->sap_mandatory_channels_len = 0;
|
||||||
|
|
||||||
for (i = 0; i < len; i++) {
|
for (i = 0; (i < len) && (i < QDF_MAX_NUM_CHAN); i++) {
|
||||||
if (WLAN_REG_IS_24GHZ_CH(chan_list[i])) {
|
if (WLAN_REG_IS_24GHZ_CH(chan_list[i])) {
|
||||||
policy_mgr_debug("Add chan %hu to mandatory list",
|
policy_mgr_debug("Add chan %hu to mandatory list",
|
||||||
chan_list[i]);
|
chan_list[i]);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user