Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d2b166b authored by Aditya Kodukula's avatar Aditya Kodukula Committed by Ravindra Konda
Browse files

qcacld-3.0: Add a sanity check to prevent integer overflow 

Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.

If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.

To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.

Change-Id: I601a73a118eb65ebb8575f6ed5ed1f29d915f59e
CRs-Fixed: 3568577
parent e09fe887

core/hdd/src/wlan_hdd_cfg80211.c

+7 −6
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -4603,13 +4603,14 @@ hdd_send_roam_scan_channel_freq_list_to_sme(struct hdd_context *hdd_ctx, 
		return QDF_STATUS_E_INVAL;

	}









	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem)









		num_chan++;









	if (num_chan > SIR_MAX_SUPPORTED_CHANNEL_LIST) {









	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) {









		if (num_chan >= SIR_MAX_SUPPORTED_CHANNEL_LIST) {









			hdd_err("number of channels (%d) supported exceeded max (%d)",









				num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);









			return QDF_STATUS_E_INVAL;









		}









		num_chan++;









	}









	num_chan = 0;

















	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) {