android/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix OOB write in wma_roam_synch_event_handler

Browse Source 
The routine wma_roam_synch_event_handler sends roam indication to the
upper layers. It uses the vdev_id of the synch event to pass the roaming
indication for the vdev session. If the vdevid exceeds the max_bssid
supported, then OOB write occurs in wma_roam_synch_event_handler.

Add check to validate vdev doesnot exceed the maximum bssid configured.
Add check to ensure vdev doesnot exceed max_bssid and return error if
violated.

Change-Id: Ief8b5070fd6cbb375900e2816524dbd946c5238d
CRs-Fixed: 2206569
This commit is contained in:
Pragaspathi Thilagaraj 2018-04-02 17:21:26 +05:30 committed by nshrivas
parent ee09f8eefd
commit 54ac69d1ff
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/wma/src/wma_scan_roam.c
View File

@ -2226,6 +2226,12 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event,
goto cleanup_label;
}
if (synch_event->vdev_id >= wma->max_bssid) {
WMA_LOGE("%s: received invalid vdev_id %d",
__func__, synch_event->vdev_id);
return status;
}
if (synch_event->bcn_probe_rsp_len >
param_buf->num_bcn_probe_rsp_frame ||
synch_event->reassoc_req_len >
@ -2238,11 +2244,6 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event,
synch_event->reassoc_rsp_len);
goto cleanup_label;
}
if (synch_event->vdev_id >= wma->max_bssid) {
WMA_LOGE("%s: received invalid vdev_id %d",
__func__, synch_event->vdev_id);
goto cleanup_label;
}
wlan_roam_debug_log(synch_event->vdev_id, DEBUG_ROAM_SYNCH_IND,
DEBUG_INVALID_PEER_ID, NULL, NULL,