From 1d25d6d7fc844cc79d582ada7380ceb4786ef7bb Mon Sep 17 00:00:00 2001 From: Varun Reddy Yeturu Date: Sun, 20 Aug 2017 13:41:02 -0700 Subject: [PATCH] qcacmn: Add sanity check to avoid len overflow issue in WMI event data In WMI/WMA, data from event buffer from FW is used without sanity checks for upper limit in multiple places. This might lead to a potential integer overflow further leading to buffer corruption Add upper bound checks for max limit of event buffer (1536) in all affected places to prevent the potential integer overflow Change-Id: Ic9194a27c4a4c63fc68ff7fc61165a53e66ca4f4 CRs-Fixed: 2095545 --- wmi/inc/wmi_unified_param.h | 1 + wmi/src/wmi_unified_tlv.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/wmi/inc/wmi_unified_param.h b/wmi/inc/wmi_unified_param.h index a2dfe82f2c..085e287842 100644 --- a/wmi/inc/wmi_unified_param.h +++ b/wmi/inc/wmi_unified_param.h @@ -93,6 +93,7 @@ #define WMI_MSEC_TO_USEC(msec) (msec * 1000) /* msec to usec */ #define WMI_NLO_FREQ_THRESH 1000 /* in MHz */ +#define WMI_SVC_MSG_MAX_SIZE 1536 #define MAX_UTF_EVENT_LENGTH 2048 #define MAX_WMI_UTF_LEN 252 #define MAX_WMI_QVIT_LEN 252 diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index f708534f3f..5d7ab3fc47 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -12447,6 +12447,13 @@ static QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle, if (wmi_handle->events_logs_list) qdf_mem_free(wmi_handle->events_logs_list); + if (num_of_diag_events_logs > + (WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) { + WMI_LOGE("%s: excess num of logs:%d", __func__, + num_of_diag_events_logs); + QDF_ASSERT(0); + return QDF_STATUS_E_INVAL; + } /* Store the event list for run time enable/disable */ wmi_handle->events_logs_list = qdf_mem_malloc(num_of_diag_events_logs * sizeof(uint32_t));