Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 19e1fa81 authored Aug 07, 2020 by Jia Ding Committed by Gerrit - the friendly Code Review server Aug 10, 2020

cnss2: Fix potential null dereference and buffer overrun



plat_priv is dereferenced before NULL check.
Thus fix it by first doing the NULL check and then dereference.

In bypass_bdf path, temp is set to DUMMY_BDF_FILE_NAME and
remaining is set to MAX_FIRMWARE_NAME_LEN. Since
MAX_FIRMWARE_NAME_LEN is larger than length of temp buffer,
memcpy will lead to a out-of-bounds access. Thus fix it
by properly setting remaining.

Change-Id: I650bb743f3d603dec43ae1e291226af67477357f
Signed-off-by: Jia Ding <jiad@codeaurora.org>

parent a89210c1

drivers/net/wireless/cnss2/main.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -2122,13 +2122,13 @@ static ssize_t fs_ready_store(struct device *dev,
		cnss_pr_dbg("File system is ready, fs_ready is %d, count is %zu\n",
		fs_ready, count);

		if (test_bit(QMI_BYPASS, &plat_priv->ctrl_params.quirks)) {
		cnss_pr_dbg("QMI is bypassed.\n");
		if (!plat_priv) {
		cnss_pr_err("plat_priv is NULL!\n");
		return count;
		}

		if (!plat_priv) {
		cnss_pr_err("plat_priv is NULL!\n");
		if (test_bit(QMI_BYPASS, &plat_priv->ctrl_params.quirks)) {
		cnss_pr_dbg("QMI is bypassed.\n");
		return count;
		}

drivers/net/wireless/cnss2/qmi.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -553,7 +553,7 @@ int cnss_wlfw_bdf_dnld_send_sync(struct cnss_plat_data *plat_priv,
		filename, sizeof(filename));
		if (ret > 0) {
		temp = DUMMY_BDF_FILE_NAME;
		remaining = MAX_FIRMWARE_NAME_LEN;
		remaining = strlen(DUMMY_BDF_FILE_NAME) + 1;
		goto bypass_bdf;
		} else if (ret < 0) {
		goto err_req_fw;