Vignesh Viswanathan c279230cfc qcacld-3.0: Fix potential OOB read in wma_populate_soc_caps ... In function wma_populate_soc_caps, param_buf is received from the FW and soc_hw_mode_caps->num_hw_modes denotes the number of HW mode capabilities included under hw_mode_caps. However, the actual length of the hw_mode_caps buffer filled by the FW is num_hw_mode_caps. If the value of soc_hw_mode_caps->num_hw_modes is greater than num_hw_mode_caps, then an OOB read would occur while copying the FW buffer for hw_mode_caps. Similarly, soc_hal_reg_caps->num_phy denotes the number of hal_reg_caps included in the FW buffer. However the actual length of the hal_reg_caps is num_hal_reg_caps. If the value of soc_hal_reg_caps->num_phy is greater than num_hal_reg_caps, an OOB read would occur. Add checks to make sure soc_hw_mode_caps->num_hw_modes is not greater than num_hw_mode_caps. Also add check to make sure soc_hal_reg_caps->num_phy is not greater than num_hal_reg_caps. Change-Id: I3accffca3fc83f7e614d8f9a5bb850733a508ff7 CRs-Fixed: 2160423		2018-01-19 15:42:44 -08:00
..
inc	qcacld-3.0: Add obss detection offload support	2018-01-17 17:49:06 -08:00
src	qcacld-3.0: Fix potential OOB read in wma_populate_soc_caps	2018-01-19 15:42:44 -08:00