Gitiles
Code Review Sign In
android-review.linaro.org / kernel / msm-modules / qca-wfi-host-cmn / refs/tags/android-14.0.0_r0.47
tag4b27a1fa2f3ce730b0f8b46ff6aeefd3f619d559
taggerThe Android Open Source Project <initial-contribution@android.com>Tue Feb 06 11:39:09 2024 -0800
object8de2c27c419e4a5d0ec6c540c020e0ad00fc1e33 
Android 14.0.0 Release 0.47 (UP1A.231105.001.B2,bramble/redfin)
commit8de2c27c419e4a5d0ec6c540c020e0ad00fc1e33[log] [tgz]
authorHsiu-Chang Chen <hsiuchangchen@google.com>Thu Feb 16 18:09:50 2023 +0530
committerHsiu-Chang Chen <hsiuchangchen@google.com>Fri May 05 13:36:50 2023 +0800
tree5d3cd62dbba4548838be13e7916c9cb475d38b10
parent166dff5cd42ac4febdb8966c687e38c3125bf1a9 [diff]
qcacmn: Fix out-of-bounds of src_freq

When handling WMI_ROAM_SCAN_STATS_EVENTID,
the number of channels scanned for each roam trigger is fetched from
wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count),
The total number of channels for all the roam triggers is fetched from
param_buf->num_roam_scan_chan_info.

chan_idx is the index used to fetch the current channel info TLV to be
read. So if wmi_roam_scan_info->roam_scan_channel_count provided by
firmware exceeds the total param_buf->num_roam_scan_chan_info starting
from given chan_idx then OOB access of event buffer can happen.

To avoid this, validate the sum of the current chan_idx and
src_data->roam_scan_channel_count against
evt_buf->num_roam_scan_chan_info.

Bug: 280447263
Test: Regression Test
Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8
CRs-Fixed: 3357714
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
1 file changed
tree: 5d3cd62dbba4548838be13e7916c9cb475d38b10
  1. cfg/
  2. dp/
  3. ftm/
  4. global_lmac_if/
  5. hal/
  6. hif/
  7. htc/
  8. init_deinit/
  9. os_if/
  10. qal/
  11. qdf/
  12. scheduler/
  13. spectral/
  14. target_if/
  15. umac/
  16. utils/
  17. wbuff/
  18. wlan_cfg/
  19. wmi/
  20. OWNERS
  21. README.txt
  22. VERSION.txt