Google Git
Sign in
android / kernel / msm-modules / qca-wfi-host-cmn / refs/heads/android-msm-bonito-4.9-pie-qpr3-b^1..refs/heads/android-msm-bonito-4.9-pie-qpr3-b / .
commit219c0b2da9ec12327a8282aaabd227d85ec93a4b[log] [tgz]
authorHarrison Lingren <hlingren@google.com>Fri Apr 12 21:44:21 2019 -0700
committerHarrison Lingren <hlingren@google.com>Fri Apr 12 21:44:21 2019 -0700
tree39692d767bb7d6b9f131079b5091252757ce9669
parent7db60cef81b2242b3ea437576adf1793c97eb0cc [diff]
parent1014ce43876259995402d9a37896555c423924bc [diff]
Merge branch 'android-msm-bonito-4.9-pi-dr2' into android-msm-bonito-4.9-pi-qpr3

JUN 2019.2

Bug: 129973133
Change-Id: I4307f5fec0c7e27fa16d6b5f8c11450d18ad89db
Signed-off-by: Harrison Lingren <hlingren@google.com>

diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 06801e7..8d1db7b 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c

@@ -14576,7 +14576,7 @@
 	uint32_t total_len;
 	struct wmi_roam_scan_stats_res *res;
 	uint32_t i, j;
-	uint32_t num_scans;
+	uint32_t num_scans, scan_param_size;
 
 	*res_param = NULL;
 	*vdev_id = 0xFF; /* Initialize to invalid vdev id */
@@ -14590,11 +14590,17 @@
 		return QDF_STATUS_E_INVAL;
 
 	fixed_param = param_buf->fixed_param;
-	total_len = sizeof(*res) + fixed_param->num_roam_scans *
-		    sizeof(struct wmi_roam_scan_stats_params);
 
-	*vdev_id = fixed_param->vdev_id;
 	num_scans = fixed_param->num_roam_scans;
+	scan_param_size = sizeof(struct wmi_roam_scan_stats_params);
+	*vdev_id = fixed_param->vdev_id;
+	if (num_scans > WMI_ROAM_SCAN_STATS_MAX) {
+		WMI_LOGE(FL("%u exceeded maximum roam scan stats: %u"),
+			 num_scans, WMI_ROAM_SCAN_STATS_MAX);
+		return QDF_STATUS_E_INVAL;
+	}
+
+	total_len = sizeof(*res) + num_scans * scan_param_size;
 
 	res = qdf_mem_malloc(total_len);
 	if (!res) {
@@ -14638,8 +14644,16 @@
 	if (param_buf->num_num_channels) {
 		uint32_t count, chan_info_sum = 0;
 
-		for (count = 0; count < param_buf->num_num_channels; count++)
+		for (count = 0; count < param_buf->num_num_channels; count++) {
+			if (param_buf->num_channels[count] >
+			    WMI_ROAM_SCAN_STATS_CHANNELS_MAX) {
+				WMI_LOGE(FL("%u exceeded max scan channels %u"),
+					 param_buf->num_channels[count],
+					 WMI_ROAM_SCAN_STATS_CHANNELS_MAX);
+				goto error;
+			}
 			chan_info_sum += param_buf->num_channels[count];
+		}
 
 		if (param_buf->chan_info &&
 		    param_buf->num_chan_info == chan_info_sum)
@@ -14654,8 +14668,16 @@
 		uint32_t count, roam_cand_sum = 0;
 
 		for (count = 0; count < param_buf->num_num_roam_candidates;
-			count++)
+		     count++) {
+			if (param_buf->num_roam_candidates[count] >
+			    WMI_ROAM_SCAN_STATS_CANDIDATES_MAX) {
+				WMI_LOGE(FL("%u exceeded max scan cand %u"),
+					 param_buf->num_roam_candidates[count],
+					 WMI_ROAM_SCAN_STATS_CANDIDATES_MAX);
+				goto error;
+			}
 			roam_cand_sum += param_buf->num_roam_candidates[count];
+		}
 
 		if (param_buf->bssid &&
 		    param_buf->num_bssid == roam_cand_sum)
@@ -14735,6 +14757,9 @@
 	*res_param = res;
 
 	return QDF_STATUS_SUCCESS;
+error:
+	qdf_mem_free(res);
+	return QDF_STATUS_E_FAILURE;
 }
 
 /**