commit 99acad13c365ad2c31bf8d8045bf59ab3ce18e45
author Hsiu-Chang Chen <hsiuchangchen@google.com> Mon Jul 24 20:30:21 2023 -0700
committer Hsiu-Chang Chen <hsiuchangchen@google.com> Sun Dec 17 22:26:41 2023 +0800
tree cb221a4f047d84ef522bde3c0954543d52914d71
parent 00fdb0fd07b6d5959d8ed0ebce89d43908d8c51a

qcacld-3.0: Add a sanity check to prevent integer overflow

Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.

If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.

To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.

Bug: 314786500
Test: Regression Test
Change-Id: I4085338df68c80f316909f85c6c04e3ac8b93cc2
CRs-Fixed: 3568577
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>

qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c

diff --git a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
index 760a74b..5e7076c 100644
--- a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
@@ -4919,12 +4919,13 @@
 		return QDF_STATUS_E_INVAL;
 	}
 
-	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem)
+	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) {
+		if (num_chan >= SIR_MAX_SUPPORTED_CHANNEL_LIST) {
+			hdd_err("number of channels (%d) supported exceeded max (%d)",
+				num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
+			return QDF_STATUS_E_INVAL;
+		}
 		num_chan++;
-	if (num_chan > SIR_MAX_SUPPORTED_CHANNEL_LIST) {
-		hdd_err("number of channels (%d) supported exceeded max (%d)",
-			num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
-		return QDF_STATUS_E_INVAL;
 	}
 	num_chan = 0;