diff options
| author | Kevin Cernekee <cernekee@google.com> | 2015-08-30 10:42:04 -0700 |
|---|---|---|
| committer | Kevin Cernekee <cernekee@google.com> | 2015-08-30 11:00:15 -0700 |
| commit | e900b04a91fd87e4d706be7ae3499d5fb9995188 (patch) | |
| tree | 9feef0cc922ca2a8fbfaaa7e530e46a043d69d80 | |
| parent | c9a71e699e03eb1c2c9ffddafc30fc0d4f02c18e (diff) | |
| download | hardware_broadcom_wlan-e900b04a91fd87e4d706be7ae3499d5fb9995188.zip hardware_broadcom_wlan-e900b04a91fd87e4d706be7ae3499d5fb9995188.tar.gz hardware_broadcom_wlan-e900b04a91fd87e4d706be7ae3499d5fb9995188.tar.bz2 | |
wifi_hal: Fix array overflow retrieving gscan results
WifiNative (in frameworks) allocates a 64-element wifi_cached_scan_results
array on the stack. The bcmdhd HAL can write past the end of this array
if the kernel provides excess scan data. Fix the sanity check so that
it terminates processing if it is out of space.
Bug: chrome-os-partner:44402
Change-Id: I99a9bcb180c3aafb294b4af85727e9ec412312df
| -rw-r--r-- | bcmdhd/wifi_hal/gscan.cpp | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/bcmdhd/wifi_hal/gscan.cpp b/bcmdhd/wifi_hal/gscan.cpp index 8a21a0d..9f5669a 100644 --- a/bcmdhd/wifi_hal/gscan.cpp +++ b/bcmdhd/wifi_hal/gscan.cpp @@ -935,6 +935,10 @@ public: num = it2.get_u32(); ALOGV("retrieved num_results: %d", num); } else if (it2.get_type() == GSCAN_ATTRIBUTE_SCAN_RESULTS) { + if (mRetrieved >= mMax) { + ALOGW("Stored %d scans, ignoring excess results", mRetrieved); + break; + } num = it2.get_len() / sizeof(wifi_scan_result); num = min(MAX_RESULTS - mNextScanResult, num); num = min((int)MAX_AP_CACHE_PER_SCAN, num); @@ -956,9 +960,6 @@ public: &(mScanResults[mNextScanResult]), num * sizeof(wifi_scan_result)); mNextScanResult += num; mRetrieved++; - if (mRetrieved >= mMax && it.has_next()) { - ALOGW("Ignoring attributes after this scan"); - } } else { ALOGW("Ignoring invalid attribute type = %d, size = %d", it.get_type(), it.get_len()); |