AtaraxiaDev/divestos-build
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
divestos-build/Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch
Tad 67e224cb1a Many new CVE patches
2017-11-25 19:39:02 -05:00

50 lines
2.3 KiB
Diff
Raw Blame History

From adb96af5b080dfe4ee29961a17ed3f04c87d5519 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Mon, 21 Aug 2017 16:56:01 -0700
Subject: [PATCH] qcacld-2.0: Add bound check before writing to channel list
qcacld-3.0 to qcacld-2.0 propagation
In function rrm_process_beacon_report_req, add bound check before
writing to channel list which is of fixed size.
Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2060138
Bug: 64438727
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
index 3fb65c45c2925..ddf22cd957db2 100644
--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
@@ -628,14 +628,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac,
pSmeBcnReportReq->channelList.numChannels = num_channels;
if( pBeaconReq->measurement_request.Beacon.num_APChannelReport )
{
- tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber;
+ tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber;
+ uint8_t len;
+ uint16_t ch_ctr = 0;
for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ )
{
- vos_mem_copy(pChanList,
- pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList,
- pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList);
+ len = pBeaconReq->measurement_request.Beacon.
+ APChannelReport[num_APChanReport].num_channelList;
+ if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber))
+ break;
+
+ vos_mem_copy(&ch_lst[ch_ctr],
+ pBeaconReq->measurement_request.Beacon.
+ APChannelReport[num_APChanReport].channelList, len);
- pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList;
+ ch_ctr += len;
}
}
Reference in New Issue View Git Blame Copy Permalink