Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05d1a3a7 authored by Harprit Chhabada's avatar Harprit Chhabada Committed by nshrivas
Browse files

qcacmn: Add bound check for num_per_chain_rssi_stats 

Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().

ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.

As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.

Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
parent 34069958

wmi/src/wmi_unified_tlv.c

+6 −0
Original line number Diff line number Diff line
@@ -18631,6 +18631,12 @@ static QDF_STATUS extract_all_stats_counts_tlv(wmi_unified_t wmi_handle, 
	    WMITLV_GET_TLVLEN(rssi_event->tlv_header))

		return QDF_STATUS_SUCCESS;













	if (rssi_event->num_per_chain_rssi_stats >=













	    WMITLV_GET_TLVLEN(rssi_event->tlv_header)) {













		WMI_LOGE("num_per_chain_rssi_stats:%u is out of bounds",













			 rssi_event->num_per_chain_rssi_stats);













		return QDF_STATUS_E_INVAL;













	}















	stats_param->num_rssi_stats = rssi_event->num_per_chain_rssi_stats;





























	return QDF_STATUS_SUCCESS;