Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

wlan: Fix Out-of-bound access in sapInterferenceRssiCount

Browse source 
Fix Out-of-bound access in sapInterferenceRssiCount, by checking
the limit of start address for channel info and end address for
channel info.

Change-Id: If21e09d0f11bd655a8e04139ccf55d3682734b17
CRs-Fixed: 2149350
This commit is contained in:
gaurank kathpalia 2017-11-27 14:40:58 +05:30 committed by Nolen Johnson
parent 4f0971198b
commit ba43c1b6e6
1 changed files with 110 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

146
drivers/staging/prima/CORE/SAP/src/sapChSelect.c
View file

@ -489,7 +489,9 @@ v_U32_t sapweightRssiCount(v_S7_t rssi, v_U16_t count)
SIDE EFFECTS
============================================================================*/
void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh,
tSapSpectChInfo *spect_ch_strt_addr,
tSapSpectChInfo *spect_ch_end_addr)
{
tSapSpectChInfo *pExtSpectCh = NULL;
v_S31_t rssi;
@ -497,7 +499,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
{
case CHANNEL_1:
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -509,7 +513,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -521,7 +527,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 3);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_THIRD_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -533,7 +541,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 4);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FOURTH_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -547,7 +557,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
break;
case CHANNEL_2:
pExtSpectCh = (pSpectCh - 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -559,7 +571,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -571,7 +585,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -583,7 +599,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 3);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_THIRD_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -603,7 +621,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
case CHANNEL_8:
case CHANNEL_9:
pExtSpectCh = (pSpectCh - 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -615,7 +635,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -627,7 +649,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -639,7 +663,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -653,7 +679,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
break;
case CHANNEL_10:
pExtSpectCh = (pSpectCh - 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -665,7 +693,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -677,7 +707,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -689,7 +721,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 3);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_THIRD_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -703,7 +737,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
break;
case CHANNEL_11:
pExtSpectCh = (pSpectCh - 1);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FIRST_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -715,7 +751,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 2);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_SEC_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -727,7 +765,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 3);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_THIRD_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -739,7 +779,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 4);
if(pExtSpectCh != NULL)
if (pExtSpectCh != NULL &&
(pExtSpectCh >= spect_ch_strt_addr &&
pExtSpectCh < spect_ch_end_addr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_24GHZ_FOURTH_OVERLAP_CHAN_RSSI_EFFECT_PRIMARY;
@ -796,6 +838,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
v_U32_t ieLen = 0;
tSirProbeRespBeacon *pBeaconStruct;
tpAniSirGlobal pMac = (tpAniSirGlobal) halHandle;
tSapSpectChInfo *pSpectChStartAddr = pSpectInfoParams->pSpectCh;
tSapSpectChInfo *pSpectChEndAddr =
pSpectInfoParams->pSpectCh + pSpectInfoParams->numSpectChans;
if(eHAL_STATUS_SUCCESS != palAllocateMemory(pMac->hHdd,
(void **)&pBeaconStruct, sizeof(tSirProbeRespBeacon)))
@ -880,7 +925,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
tSapSpectChInfo *pExtSpectCh = NULL;
case PHY_DOUBLE_CHANNEL_LOW_PRIMARY: // Above the Primary Channel
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -895,7 +942,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
break;
case PHY_DOUBLE_CHANNEL_HIGH_PRIMARY: // Below the Primary channel
pExtSpectCh = (pSpectCh - 1);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
if (IS_RSSI_VALID(pExtSpectCh->rssiAgr, rssi))
@ -914,7 +963,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
{
tSapSpectChInfo *pExtSpectCh = NULL;
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -926,7 +977,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 2);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND2_RSSI_EFFECT_PRIMARY;
@ -938,7 +991,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 3);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND3_RSSI_EFFECT_PRIMARY;
@ -954,7 +1009,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
{
tSapSpectChInfo *pExtSpectCh = NULL;
pExtSpectCh = (pSpectCh - 1 );
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -966,7 +1023,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -978,7 +1037,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 2);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND2_RSSI_EFFECT_PRIMARY;
@ -994,7 +1055,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
{
tSapSpectChInfo *pExtSpectCh = NULL;
pExtSpectCh = (pSpectCh - 1 );
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -1006,7 +1069,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 2);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND2_RSSI_EFFECT_PRIMARY;
@ -1018,7 +1083,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh + 1);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -1034,7 +1101,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
{
tSapSpectChInfo *pExtSpectCh = NULL;
pExtSpectCh = (pSpectCh - 1 );
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND1_RSSI_EFFECT_PRIMARY;
@ -1046,7 +1115,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 2);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND2_RSSI_EFFECT_PRIMARY;
@ -1058,7 +1129,9 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
}
pExtSpectCh = (pSpectCh - 3);
if(pExtSpectCh != NULL)
if( pExtSpectCh != NULL &&
(pExtSpectCh >= pSpectChStartAddr &&
pExtSpectCh < pSpectChEndAddr))
{
++pExtSpectCh->bssCount;
rssi = pSpectCh->rssiAgr + SAP_SUBBAND3_RSSI_EFFECT_PRIMARY;
@ -1075,7 +1148,8 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
}
else if(operatingBand == RF_SUBBAND_2_4_GHZ)
{
sapInterferenceRssiCount(pSpectCh);
sapInterferenceRssiCount(pSpectCh, pSpectChStartAddr,
pSpectChEndAddr);
}
VOS_TRACE(VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_INFO_HIGH,