diff options
| author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-07-24 20:30:21 -0700 |
|---|---|---|
| committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-12-17 22:26:41 +0800 |
| commit | 99acad13c365ad2c31bf8d8045bf59ab3ce18e45 (patch) | |
| tree | cb221a4f047d84ef522bde3c0954543d52914d71 | |
| parent | 00fdb0fd07b6d5959d8ed0ebce89d43908d8c51a (diff) | |
| download | wlan-android-gs-felix-5.10-android14-qpr2.tar.gz | |
qcacld-3.0: Add a sanity check to prevent integer overflowandroid-u-qpr2-beta-3.1_r0.7android-u-qpr2-beta-3.1_r0.5android-u-qpr2-beta-3.1_r0.4android-u-qpr2-beta-3.1_r0.3android-u-qpr2-beta-3.1_r0.2android-u-qpr2-beta-3.1_r0.1android-14.0.0_r0.76android-14.0.0_r0.75android-14.0.0_r0.74android-14.0.0_r0.73android-14.0.0_r0.72android-14.0.0_r0.71android-14.0.0_r0.66android-14.0.0_r0.65android-14.0.0_r0.64android-14.0.0_r0.63android-14.0.0_r0.62android-14.0.0_r0.61android-14.0.0_r0.56android-14.0.0_r0.55android-14.0.0_r0.54android-14.0.0_r0.53android-14.0.0_r0.52android-14.0.0_r0.51android-gs-tangorpro-5.10-android14-qpr2-betaandroid-gs-tangorpro-5.10-android14-qpr2android-gs-raviole-5.10-android14-qpr2-betaandroid-gs-raviole-5.10-android14-qpr2android-gs-pantah-5.10-android14-qpr2-betaandroid-gs-pantah-5.10-android14-qpr2android-gs-lynx-5.10-android14-qpr2-betaandroid-gs-lynx-5.10-android14-qpr2android-gs-felix-5.10-android14-qpr2-betaandroid-gs-felix-5.10-android14-qpr2android-gs-bluejay-5.10-android14-qpr2-betaandroid-gs-bluejay-5.10-android14-qpr2
Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.
If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.
To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.
Bug: 314786500
Test: Regression Test
Change-Id: I4085338df68c80f316909f85c6c04e3ac8b93cc2
CRs-Fixed: 3568577
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
| -rw-r--r-- | qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c index 760a74b..5e7076c 100644 --- a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c +++ b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c @@ -4919,12 +4919,13 @@ hdd_send_roam_scan_channel_freq_list_to_sme(struct hdd_context *hdd_ctx, return QDF_STATUS_E_INVAL; } - nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) + nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) { + if (num_chan >= SIR_MAX_SUPPORTED_CHANNEL_LIST) { + hdd_err("number of channels (%d) supported exceeded max (%d)", + num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST); + return QDF_STATUS_E_INVAL; + } num_chan++; - if (num_chan > SIR_MAX_SUPPORTED_CHANNEL_LIST) { - hdd_err("number of channels (%d) supported exceeded max (%d)", - num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST); - return QDF_STATUS_E_INVAL; } num_chan = 0; |