Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Fix out of bounds bug in limProcessMessages

Browse source 
uMacPostCtrlMsg allocates memory of size tSirSmeScanAbortReq
for tSirMbMsg structure for scan abort msg that is posted to
mc thread. In limProcessMessages, we typecast the bodyptr to
tSirMbMsg and use data variable which results in slab out of
bounds bug.

Fix is to typecast the bodyptr to tSirSmeScanAbortReq
in limProcessMessages.

Change-Id: Iabeeabcba64ccc30895f57cbe40d969f1a9e6dca
CRs-Fixed: 2031160
Bug: 37082991
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
This commit is contained in:
Srinivas Girigowda 2017-04-10 00:33:48 -07:00 committed by syphyr
parent 50b57345ec
commit 20d177f49f
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessMessageQueue.c
View file

@ -1366,12 +1366,10 @@ limProcessMessages(tpAniSirGlobal pMac, tpSirMsgQ limMsg)
case eWNI_SME_SCAN_ABORT_IND:
{
tSirMbMsg *pMsg = limMsg->bodyptr;
tANI_U8 sessionId;
tSirSmeScanAbortReq *pMsg = (tSirSmeScanAbortReq *) limMsg->bodyptr;
if (pMsg)
{
sessionId = (tANI_U8) pMsg->data[0];
limProcessAbortScanInd(pMac, sessionId);
limProcessAbortScanInd(pMac, pMsg->sessionId);
vos_mem_free((v_VOID_t *)limMsg->bodyptr);
limMsg->bodyptr = NULL;
}