qcacld-2.0: Add a NULL check on channels in IOCTL SETROAMSCANCHANNELS
qcacld-3.0 to qcacld-2.0 propagation User sends driver a list of roaming scan channels to set through IOCTL SETROAMSCANCHANNELS. The parameters include the number of elements in the array, followed by channel array and then a NULL character. But when driver loops through the channel array it doesn't have a NULL check. An erroneous number of elements passed by user may cause buffer overread. Add a NULL check on channels passed in IOCTL SETROAMSCANCHANNELS. Change-Id: I7342aa5cf8e5267b7ed06a4e35b1ed882fb97893 CRs-Fixed: 2257064
This commit is contained in:
parent
0834b88e7d
commit
81c61e122f
|
@ -2853,6 +2853,14 @@ hdd_parse_set_roam_scan_channels_v2(hdd_adapter_t *pAdapter,
|
|||
|
||||
for (i = 0; i < num_chan; i++) {
|
||||
channel = *value++;
|
||||
if (!channel) {
|
||||
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
|
||||
"%s: Channels end at index %d, expected %d",
|
||||
__func__, i, num_chan);
|
||||
ret = -EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (channel > WNI_CFG_CURRENT_CHANNEL_STAMAX) {
|
||||
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
|
||||
"%s: index %d invalid channel %d", __func__, i, channel);
|
||||
|
|
Loading…
Reference in New Issue