From fdda9c0af64d6e5cdf006e2d8dd57e655821a962 Mon Sep 17 00:00:00 2001 From: Srinivas Girigowda Date: Sun, 10 Apr 2016 00:35:17 -0700 Subject: qcacld-2.0: Fix buffer overwrite problem in CCXPLMREQ Set the number of channels to minimum of input data and WNI_CFG_VALID_CHANNEL_LIST_LEN. Change-Id: Ib6fca483ac99cddfcd3b739ce62e86ecd498f1f5 CRs-Fixed: 1001450 --- CORE/HDD/src/wlan_hdd_main.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c index a6249e1..38452eb 100644 --- a/CORE/HDD/src/wlan_hdd_main.c +++ b/CORE/HDD/src/wlan_hdd_main.c @@ -3002,8 +3002,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest) if (content < 0) return eHAL_STATUS_FAILURE; + content = VOS_MIN(content, WNI_CFG_VALID_CHANNEL_LIST_LEN); pPlmRequest->plmNumCh = content; - hddLog(VOS_TRACE_LEVEL_DEBUG, "numch %d", pPlmRequest->plmNumCh); + hddLog(LOG1, FL("Numch: %d"), pPlmRequest->plmNumCh); /* Channel numbers */ for (count = 0; count < pPlmRequest->plmNumCh; count++) @@ -3021,10 +3022,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest) if (1 != ret) return eHAL_STATUS_FAILURE; ret = kstrtos32(buf, 10, &content); - if ( ret < 0) return eHAL_STATUS_FAILURE; - - if (content <= 0) - return eHAL_STATUS_FAILURE; + if (ret < 0 || content <= 0 || + content > WNI_CFG_CURRENT_CHANNEL_STAMAX) + return eHAL_STATUS_FAILURE; pPlmRequest->plmChList[count]= content; hddLog(VOS_TRACE_LEVEL_DEBUG, " ch- %d", @@ -6464,11 +6464,11 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter, { tANI_U8 *value = command; eHalStatus status = eHAL_STATUS_SUCCESS; - tpSirPlmReq pPlmRequest = NULL; + tpSirPlmReq pPlmRequest; pPlmRequest = vos_mem_malloc(sizeof(tSirPlmReq)); if (NULL == pPlmRequest){ - ret = -EINVAL; + ret = -ENOMEM; goto exit; } -- cgit v1.1