From 0df0ae40b0dc321b8b15bdd388d9ad4a4029f2a2 Mon Sep 17 00:00:00 2001 From: abhinav kumar Date: Wed, 11 Aug 2021 19:28:49 +0530 Subject: [PATCH] qcacmn: Possible OOB read in process_fw_diag_event_data API "fw_diag_data_event_handler" is the handler of an event WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of this handler function come from FW. If num_data may be less than size of(struct wlan_diag_data), possible OOB while extracting event data. Fix is to add a sanity check for num_data to avoid the OOB read. Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810 CRs-Fixed: 3001178 --- utils/fwlog/dbglog_host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/fwlog/dbglog_host.c b/utils/fwlog/dbglog_host.c index 3feebd4d05..3382eac76d 100644 --- a/utils/fwlog/dbglog_host.c +++ b/utils/fwlog/dbglog_host.c @@ -1694,7 +1694,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data) uint32_t diag_data_len; /* each fw diag payload */ struct wlan_diag_data *diag_data; - while (num_data > 0) { + while (num_data >= sizeof(struct wlan_diag_data)) { diag_data = (struct wlan_diag_data *)datap; diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0); diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0);