samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add size checks in diag_fw_handler

Browse Source 
Correct the invalid type conversions in diag_fw_handler.

Change-Id: I930c8602c0f98d19b7276987cbb4d42e4757e267
CRs-Fixed: 2129581
This commit is contained in:
Amar Singhal
2017-10-17 11:16:15 -07:00
committed by snandini
parent 739e33f1e0
commit 009d7f1ab2
1 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
utils/fwlog/dbglog_host.c
View File

@@ -1847,7 +1847,7 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen)
{
tp_wma_handle wma = (tp_wma_handle) scn;
wmitlv_cmd_param_info *param_buf;
WMI_DIAG_EVENTID_param_tlvs *param_buf;
uint8_t *datap;
uint32_t len = 0;
uint32_t *buffer;
@@ -1862,22 +1862,37 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen)
len = datalen;
wma->is_fw_assert = 0;
} else {
param_buf = (wmitlv_cmd_param_info *) data;
param_buf = (WMI_DIAG_EVENTID_param_tlvs *) data;
if (!param_buf) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
("Get NULL point message from FW\n"));
return A_ERROR;
}
param_buf = (wmitlv_cmd_param_info *) data;
datap = param_buf->tlv_ptr;
len = param_buf->num_elements;
datap = param_buf->bufp;
len = param_buf->num_bufp;
if (!get_version) {
if (len < 2*(sizeof(uint32_t))) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
("len is less than expected\n"));
return A_ERROR;
}
buffer = (uint32_t *) datap;
buffer++; /* skip offset */
if (WLAN_DIAG_TYPE_CONFIG == DIAG_GET_TYPE(*buffer)) {
if (len < 3*(sizeof(uint32_t))) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
("len is less than expected\n"));
return A_ERROR;
}
buffer++; /* skip */
if (DIAG_VERSION_INFO == DIAG_GET_ID(*buffer)) {
if (len < 4*(sizeof(uint32_t))) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR,
("len is less than expected\n"));
return A_ERROR;
}
buffer++; /* skip */
/* get payload */
get_version = *buffer;