Merge branch 'android-msm-bonito-4.9-pi-dr2' into android-msm-bonito-4.9-pi-qpr3
JUN 2019.2
Bug: 129973133
Change-Id: I4307f5fec0c7e27fa16d6b5f8c11450d18ad89db
Signed-off-by: Harrison Lingren <hlingren@google.com>
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 06801e7..8d1db7b 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -14576,7 +14576,7 @@
uint32_t total_len;
struct wmi_roam_scan_stats_res *res;
uint32_t i, j;
- uint32_t num_scans;
+ uint32_t num_scans, scan_param_size;
*res_param = NULL;
*vdev_id = 0xFF; /* Initialize to invalid vdev id */
@@ -14590,11 +14590,17 @@
return QDF_STATUS_E_INVAL;
fixed_param = param_buf->fixed_param;
- total_len = sizeof(*res) + fixed_param->num_roam_scans *
- sizeof(struct wmi_roam_scan_stats_params);
- *vdev_id = fixed_param->vdev_id;
num_scans = fixed_param->num_roam_scans;
+ scan_param_size = sizeof(struct wmi_roam_scan_stats_params);
+ *vdev_id = fixed_param->vdev_id;
+ if (num_scans > WMI_ROAM_SCAN_STATS_MAX) {
+ WMI_LOGE(FL("%u exceeded maximum roam scan stats: %u"),
+ num_scans, WMI_ROAM_SCAN_STATS_MAX);
+ return QDF_STATUS_E_INVAL;
+ }
+
+ total_len = sizeof(*res) + num_scans * scan_param_size;
res = qdf_mem_malloc(total_len);
if (!res) {
@@ -14638,8 +14644,16 @@
if (param_buf->num_num_channels) {
uint32_t count, chan_info_sum = 0;
- for (count = 0; count < param_buf->num_num_channels; count++)
+ for (count = 0; count < param_buf->num_num_channels; count++) {
+ if (param_buf->num_channels[count] >
+ WMI_ROAM_SCAN_STATS_CHANNELS_MAX) {
+ WMI_LOGE(FL("%u exceeded max scan channels %u"),
+ param_buf->num_channels[count],
+ WMI_ROAM_SCAN_STATS_CHANNELS_MAX);
+ goto error;
+ }
chan_info_sum += param_buf->num_channels[count];
+ }
if (param_buf->chan_info &&
param_buf->num_chan_info == chan_info_sum)
@@ -14654,8 +14668,16 @@
uint32_t count, roam_cand_sum = 0;
for (count = 0; count < param_buf->num_num_roam_candidates;
- count++)
+ count++) {
+ if (param_buf->num_roam_candidates[count] >
+ WMI_ROAM_SCAN_STATS_CANDIDATES_MAX) {
+ WMI_LOGE(FL("%u exceeded max scan cand %u"),
+ param_buf->num_roam_candidates[count],
+ WMI_ROAM_SCAN_STATS_CANDIDATES_MAX);
+ goto error;
+ }
roam_cand_sum += param_buf->num_roam_candidates[count];
+ }
if (param_buf->bssid &&
param_buf->num_bssid == roam_cand_sum)
@@ -14735,6 +14757,9 @@
*res_param = res;
return QDF_STATUS_SUCCESS;
+error:
+ qdf_mem_free(res);
+ return QDF_STATUS_E_FAILURE;
}
/**