qcacld-3.0: Add check to avoid potential OOB access for bssid_list
In wma_group_num_bss_to_scan_id(), bssid_list may be accessed out
of boundary.
Add check to avoid potential OOB access for bssid_list.
Bug: 245789946
Test: Regression Test
Change-Id: I218af0fe617f64a50c7c296c622f7fac01e1b4fc
CRs-Fixed: 3357461
Signed-off-by: Hsiu-Chang Chen <[email protected]>
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c
index 8d5b6c7..62e64d8 100644
--- a/core/wma/src/wma_scan_roam.c
+++ b/core/wma/src/wma_scan_roam.c
@@ -5168,6 +5168,7 @@
struct extscan_cached_scan_results *t_cached_result;
struct extscan_cached_scan_result *t_scan_id_grp;
int i, j;
+ uint32_t total_scan_num_results = 0;
tSirWifiScanResult *ap;
param_buf = (WMI_EXTSCAN_CACHED_RESULTS_EVENTID_param_tlvs *)
@@ -5178,17 +5179,20 @@
t_cached_result = cached_result;
t_scan_id_grp = &t_cached_result->result[0];
- if ((t_cached_result->num_scan_ids *
- QDF_MIN(t_scan_id_grp->num_results,
- param_buf->num_bssid_list)) > param_buf->num_bssid_list) {
- WMA_LOGE("%s:num_scan_ids %d, num_results %d num_bssid_list %d",
+ for (i = 0; i < t_cached_result->num_scan_ids; i++) {
+ total_scan_num_results += t_scan_id_grp->num_results;
+ t_scan_id_grp++;
+ }
+
+ if (total_scan_num_results > param_buf->num_bssid_list) {
+ WMA_LOGE("%s:total_scan_num_results %d, num_bssid_list %d",
__func__,
- t_cached_result->num_scan_ids,
- t_scan_id_grp->num_results,
- param_buf->num_bssid_list);
+ total_scan_num_results,
+ param_buf->num_bssid_list);
return -EINVAL;
}
+ t_scan_id_grp = &t_cached_result->result[0];
WMA_LOGD("%s: num_scan_ids:%d", __func__,
t_cached_result->num_scan_ids);
for (i = 0; i < t_cached_result->num_scan_ids; i++) {
@@ -5200,8 +5204,7 @@
return -ENOMEM;
ap = &t_scan_id_grp->ap[0];
- for (j = 0; j < QDF_MIN(t_scan_id_grp->num_results,
- param_buf->num_bssid_list); j++) {
+ for (j = 0; j < t_scan_id_grp->num_results; j++) {
ap->channel = src_hotlist->channel;
ap->ts = WMA_MSEC_TO_USEC(src_rssi->tstamp);
ap->rtt = src_hotlist->rtt;
