qcacld-3.0: Add a sanity check to prevent integer overflow
Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.
If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.
To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.
Bug: 314786500
Test: Regression Test
Change-Id: I4085338df68c80f316909f85c6c04e3ac8b93cc2
CRs-Fixed: 3568577
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
diff --git a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
index 760a74b..5e7076c 100644
--- a/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
@@ -4919,12 +4919,13 @@
return QDF_STATUS_E_INVAL;
}
- nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem)
+ nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) {
+ if (num_chan >= SIR_MAX_SUPPORTED_CHANNEL_LIST) {
+ hdd_err("number of channels (%d) supported exceeded max (%d)",
+ num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
+ return QDF_STATUS_E_INVAL;
+ }
num_chan++;
- if (num_chan > SIR_MAX_SUPPORTED_CHANNEL_LIST) {
- hdd_err("number of channels (%d) supported exceeded max (%d)",
- num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
- return QDF_STATUS_E_INVAL;
}
num_chan = 0;