diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-11-29 22:48:35 -0800 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-03-19 16:07:07 +0800 |
commit | 624454a8800671bf1ced0d14a450eba18fbb000e (patch) | |
tree | b9c31f019868a1b99e042661ae0909f5546cab05 | |
parent | b81914402ed2b5913e89167eb5ac9359dcb8ce4b (diff) | |
download | wlan-624454a8800671bf1ced0d14a450eba18fbb000e.tar.gz |
qcacld-3.0: Fix OOB in wma_scan_roam.c
Currently in wma_extscan_hotlist_match_event_handler
API, dest_hotlist get memory allocation based on numap
which takes value from event->total_entries.
But numap is limited to WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
and event->total_entries more than WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
can cause out of bound issue.
Fix is to populate dest_hotlist->numOfAps from numap
instead of event->total_entries to avoid any out of bound issue.
Bug: 251051975
Test: Regression Test
Change-Id: I756f7e4a4dcd454508bba83d4a8bbbb139530905
CRs-Fixed: 3346781
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | qcacld-3.0/core/wma/src/wma_scan_roam.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/qcacld-3.0/core/wma/src/wma_scan_roam.c b/qcacld-3.0/core/wma/src/wma_scan_roam.c index 548ad52..9b0fd2f 100644 --- a/qcacld-3.0/core/wma/src/wma_scan_roam.c +++ b/qcacld-3.0/core/wma/src/wma_scan_roam.c @@ -1583,7 +1583,7 @@ int wma_extscan_hotlist_match_event_handler(void *handle, return -ENOMEM; dest_ap = &dest_hotlist->ap[0]; - dest_hotlist->numOfAps = event->total_entries; + dest_hotlist->numOfAps = numap; dest_hotlist->requestId = event->config_request_id; if (event->first_entry_index + |