Commit d1dfcc63 authored Nov 30, 2021 by Liangwei Dong Committed by Madan Koyyalamudi Jan 18, 2022

qcacld-3.0: Fix slab-out-of-bounds in radio stats

When fixed_param->num_radio is 0 from FW, host allocates
struct tSirLLStatsResults with 0 count of struct wifi_radio_stats
to wma_handle->link_stats_results.
When the second radio stats comes, the driver will
not allocate wma_handle->link_stats_results because
wma_handle->link_stats_results is not NULL.
Later driver will access the wma_handle->link_stats_results based
on radio_stats->radio_id. This will access invalid memory
because the original wma_handle->link_stats_results memory
didn't include the wifi_radio_stats.
Fix by free the link_stats_results if
wma_handle->link_stats_results->num_radio is 0, then driver
will allocate wma_handle->link_stats_results memory including
the struct wifi_radio_stats based on num_radio.

Change-Id: Ie1d6bbe8c668d2fb475fddb60907fd13a7f8de66
CRs-Fixed: 3082779

parent 04958951

core/wma/src/wma_utils.c

+4 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
		* Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
		*
		* Permission to use, copy, modify, and/or distribute this software for
		* any purpose with or without fee is hereby granted, provided that the
		@@ -2167,6 +2168,9 @@ static int wma_unified_link_radio_stats_event_handler(void *handle,
		fixed_param->num_radio);
		return -EINVAL;
		}
		if (wma_handle->link_stats_results &&
		!wma_handle->link_stats_results->num_radio)
		wma_unified_radio_tx_mem_free(wma_handle);

		if (!wma_handle->link_stats_results) {
		wma_handle->link_stats_results = qdf_mem_malloc(