bf39868cae
In function csr_check_concurrent_channel_overlap, local variable intf_ch is defined as uint16_t, but its pointer is casted to uint32_t * before invoking policy_mgr_get_sap_mandatory_channel, which will do 32-bit memory write and causes a stack memory over- writing. Call Trace: dump_stack+0x46/0x59 print_address_description+0x66/0x22b kasan_report+0x21f/0x245 policy_mgr_get_sap_mandatory_channel+0x1fd/0x258 [wlan] csr_check_concurrent_channel_overlap+0xf84/0x10d2 [wlan] sme_check_concurrent_channel_overlap+0xaa/0xf0 [wlan] wlansap_check_cc_intf+0x102/0x124 [wlan] wlan_hdd_get_channel_for_sap_restart+0x506/0x8f8 [wlan] policy_mgr_check_sta_ap_concurrent_ch_intf+0x35e/0x425[wlan] process_one_work+0x2cc/0x53b worker_thread+0x357/0x490 Change the type of the 2nd parameter to uint16_t within function policy_mgr_get_sap_mandatory_channel, so only 16-bit memory writing will take place. Change-Id: If514a394e65d005a1fe025c0e753bf7440dd5dde CRs-Fixed: 2508798 |
||
|---|---|---|
| .. | ||
| wlan_policy_mgr_api.h | ||
| wlan_policy_mgr_cfg.h | ||
| wlan_policy_mgr_public_struct.h | ||
| wlan_policy_mgr_ucfg.h | ||