android_kernel_xiaomi_sm8350

History

Vignesh Viswanathan a2ef8b1904 qcacld-3.0: Fix OOB read in wma_mgmt_tx_bundle_completion_handler In function wma_mgmt_tx_bundle_completion_handler cmpl_params->num_reports, param_buf->desc_ids and param_buf->status are received from the FW. num_reports is used as array index to access desc_ids and status. If the value of num_reports exceeds the max allowed array index, out of bounds access would happen. Add sanity check to make sure num_reports does not exceed the max allowed limit. Also make sure num_reports is not greater than num_desc_ids and num_status Change-Id: I300411febf6449680e873e5947fa767298afe962 CRs-Fixed: 2119439	2017-10-25 23:40:50 -07:00
..
inc	qcacld-3.0: Abort suspend if critical events are in flight	2017-10-25 13:41:18 -07:00
src	qcacld-3.0: Fix OOB read in wma_mgmt_tx_bundle_completion_handler	2017-10-25 23:40:50 -07:00

Vignesh Viswanathan a2ef8b1904 qcacld-3.0: Fix OOB read in wma_mgmt_tx_bundle_completion_handler

In function wma_mgmt_tx_bundle_completion_handler
cmpl_params->num_reports, param_buf->desc_ids and param_buf->status
are received from the FW. num_reports is used as array index to access
desc_ids and status. If the value of num_reports exceeds the max
allowed array index, out of bounds access would happen.

Add sanity check to make sure num_reports does not exceed the max
allowed limit. Also make sure num_reports is not greater than
num_desc_ids and num_status

Change-Id: I300411febf6449680e873e5947fa767298afe962
CRs-Fixed: 2119439

2017-10-25 23:40:50 -07:00

inc

qcacld-3.0: Abort suspend if critical events are in flight

2017-10-25 13:41:18 -07:00

src

qcacld-3.0: Fix OOB read in wma_mgmt_tx_bundle_completion_handler

2017-10-25 23:40:50 -07:00