qcacld-3.0: Possible OOB write in rrm_process_radio_measurement_request

In case if two measurement requests calls update_rrm_report() twice, possible out-of-bounds write for the allocated report array, report[] in rrm_process_radio_measurement_request. Bug: 147103218 Change-Id: Icc8b7aa14bbcc1219d28025e599c9976a3525bba CRs-Fixed: 2564485 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
GrapheneOS-Archive · Jan 8, 2020 · d9b6c82 · d9b6c82
1 parent f5d0597
commit d9b6c82
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c
@@ -1074,28 +1074,30 @@ QDF_STATUS rrm_process_beacon_req(tpAniSirGlobal mac_ctx, tSirMacAddr peer,
  */
 static
 QDF_STATUS update_rrm_report(tpAniSirGlobal mac_ctx,
-			     tpSirMacRadioMeasureReport report,
+			     tpSirMacRadioMeasureReport *report,
 			     tDot11fRadioMeasurementRequest *rrm_req,
 			     uint8_t *num_report, int index)
 {
-	if (report == NULL) {
+	tpSirMacRadioMeasureReport rrm_report;
+
+	if (!*report) {
 		/*
 		 * Allocate memory to send reports for
 		 * any subsequent requests.
 		 */
-		report = qdf_mem_malloc(sizeof(*report) *
+		*report = qdf_mem_malloc(sizeof(tSirMacRadioMeasureReport) *
 			 (rrm_req->num_MeasurementRequest - index));
-		if (NULL == report) {
-			pe_err("Unable to allocate memory during RRM Req processing");
+		if (!*report) {
+			pe_err("Fail to alloc mem during RRM Req processing");
 			return QDF_STATUS_E_NOMEM;
 		}
-		pe_debug("rrm beacon type incapable of %d report",
-			*num_report);
+		pe_debug("rrm beacon type incapable of %d report", *num_report);
 	}
-	report[*num_report].incapable = 1;
-	report[*num_report].type =
+	rrm_report = *report;
+	rrm_report[*num_report].incapable = 1;
+	rrm_report[*num_report].type =
 		rrm_req->MeasurementRequest[index].measurement_type;
-	report[*num_report].token =
+	rrm_report[*num_report].token =
 		 rrm_req->MeasurementRequest[index].measurement_token;
 	(*num_report)++;
 	return QDF_STATUS_SUCCESS;
@@ -1177,7 +1179,7 @@ rrm_process_radio_measurement_request(tpAniSirGlobal mac_ctx,
 			break;
 		default:
 			/* Send a report with incapabale bit set. */
-			status = update_rrm_report(mac_ctx, report, rrm_req,
+			status = update_rrm_report(mac_ctx, &report, rrm_req,
 						   &num_report, i);
 			if (QDF_STATUS_SUCCESS != status)
 				return status;