lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Add check for bss_list size in wma_group_num_bss_to_scan_id

Browse Source 
In wma_group_num_bss_to_scan_id(), bssid_list may get accessed
outside of the available buffer size.

Fix the possible out of boundary access by adding a check.

Change-Id: I5e278bd96b8f57c96f53d7c3cd8f4f3e5a67fc6c
CRs-Fixed: 2385431
This commit is contained in:
Sandeep Puligilla 2019-02-04 13:10:58 -08:00 committed by nshrivas
parent a5449fb42f
commit d3201dd085
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/wma/src/wma_scan_roam.c
View File

@ -4131,6 +4131,17 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info,
t_cached_result = cached_result;
t_scan_id_grp = &t_cached_result->result[0];
if ((t_cached_result->num_scan_ids *
QDF_MIN(t_scan_id_grp->num_results,
param_buf->num_bssid_list)) > param_buf->num_bssid_list) {
WMA_LOGE("%s:num_scan_ids %d, num_results %d num_bssid_list %d",
__func__,
t_cached_result->num_scan_ids,
t_scan_id_grp->num_results,
param_buf->num_bssid_list);
return -EINVAL;
}
WMA_LOGD("%s: num_scan_ids:%d", __func__,
t_cached_result->num_scan_ids);
for (i = 0; i < t_cached_result->num_scan_ids; i++) {