refs/tags/android-14.0.0_r0.63 - kernel/google-modules/wlan/qcom/wcn6740/wlan

tag	342b4b8e313fcd23dbd7abd25eef1ecf00427590
tagger	The Android Open Source Project <initial-contribution@android.com>	Tue Apr 02 15:42:37 2024 -0700
object	99acad13c365ad2c31bf8d8045bf59ab3ce18e45

Android 14.0.0 Release 0.63 (AP1A.240405.002,raven/oriole)

commit	99acad13c365ad2c31bf8d8045bf59ab3ce18e45	[log] [tgz]
author	Hsiu-Chang Chen <hsiuchangchen@google.com>	Mon Jul 24 20:30:21 2023 -0700
committer	Hsiu-Chang Chen <hsiuchangchen@google.com>	Sun Dec 17 22:26:41 2023 +0800
tree	cb221a4f047d84ef522bde3c0954543d52914d71
parent	00fdb0fd07b6d5959d8ed0ebce89d43908d8c51a [diff]

qcacld-3.0: Add a sanity check to prevent integer overflow

Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.

If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.

To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.

Bug: 314786500
Test: Regression Test
Change-Id: I4085338df68c80f316909f85c6c04e3ac8b93cc2
CRs-Fixed: 3568577
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>

qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c[diff]

1 file changed

tree: cb221a4f047d84ef522bde3c0954543d52914d71