samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Add buffer length check to avoid over-read

Browse Source 
In wma_mgmt_rx_process, mgmt_rx_params->buf_len is read
from message, if mgmt_rx_params->buf_len is larger than
data_len, it is possible to over-read from bufp with
corrupted message.

Change-Id: I7f06d81fd18960d0d6c57cdb4594680178022087
CRs-Fixed: 2126972
This commit is contained in:
Jingxiang Ge
2017-10-18 17:05:40 +08:00
committed by snandini
parent d4d7c8d1f6
commit 04c945017f
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/wma/src/wma_mgmt.c
View File

@@ -3781,6 +3781,12 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
return -EINVAL; return -EINVAL;
} }
if (mgmt_rx_params->buf_len > data_len) {
WMA_LOGE("%s: Invalid rx mgmt packet, data_len %u, mgmt_rx_params->buf_len %u",
__func__, data_len, mgmt_rx_params->buf_len);
return -EINVAL;
}
mgmt_rx_params->pdev_id = 0; mgmt_rx_params->pdev_id = 0;
mgmt_rx_params->rx_params = NULL; mgmt_rx_params->rx_params = NULL;