Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Add size checks in diag_fw_handler

Correct the invalid type conversions in diag_fw_handler.

Change-Id: I930c8602c0f98d19b7276987cbb4d42e4757e267
CRs-Fixed: 2129581
Amar Singhal 7 years ago
parent
739e33f1e0
commit
009d7f1ab2
1 changed files with 20 additions and 5 deletions
Split View Show Diff Stats
  1. 20 5
      utils/fwlog/dbglog_host.c

+ 20 - 5
utils/fwlog/dbglog_host.c
View File 

@@ -1847,7 +1847,7 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen)
 
 {
 
 
 	tp_wma_handle wma = (tp_wma_handle) scn;
 
-	wmitlv_cmd_param_info *param_buf;
 
+	WMI_DIAG_EVENTID_param_tlvs *param_buf;
 
 	uint8_t *datap;
 
 	uint32_t len = 0;
 
 	uint32_t *buffer;
 
@@ -1862,22 +1862,37 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen)
 
 		len = datalen;
 
 		wma->is_fw_assert = 0;
 
 	} else {
 
-		param_buf = (wmitlv_cmd_param_info *) data;
 
+		param_buf = (WMI_DIAG_EVENTID_param_tlvs *) data;
 
 		if (!param_buf) {
 
 			AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
 
 					("Get NULL point message from FW\n"));
 
 			return A_ERROR;
 
 		}
 
 
-		param_buf = (wmitlv_cmd_param_info *) data;
 
-		datap = param_buf->tlv_ptr;
 
-		len = param_buf->num_elements;
 
+		datap = param_buf->bufp;
 
+		len = param_buf->num_bufp;
 
+
 
 		if (!get_version) {
 
+			if (len < 2*(sizeof(uint32_t))) {
 
+				AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
 
+						("len is less than expected\n"));
 
+				return A_ERROR;
 
+			}
 
 			buffer = (uint32_t *) datap;
 
 			buffer++;       /* skip offset */
 
 			if (WLAN_DIAG_TYPE_CONFIG == DIAG_GET_TYPE(*buffer)) {
 
+				if (len < 3*(sizeof(uint32_t))) {
 
+					AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
 
+							("len is less than expected\n"));
 
+					return A_ERROR;
 
+				}
 
 				buffer++;       /* skip  */
 
 				if (DIAG_VERSION_INFO == DIAG_GET_ID(*buffer)) {
 
+					if (len < 4*(sizeof(uint32_t))) {
 
+						AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
 
+								("len is less than expected\n"));
 
+						return A_ERROR;
 
+					}
 
 					buffer++;       /* skip  */
 
 					/* get payload */
 
 					get_version = *buffer;