qcacmn: Add sanity check to avoid len overflow issue in WMI event data
In WMI/WMA, data from event buffer from FW is used without sanity checks for upper limit in multiple places. This might lead to a potential integer overflow further leading to buffer corruption Add upper bound checks for max limit of event buffer (1536) in all affected places to prevent the potential integer overflow Change-Id: Ic9194a27c4a4c63fc68ff7fc61165a53e66ca4f4 CRs-Fixed: 2095545
This commit is contained in:

committed by
snandini

parent
6af738bb71
commit
1d25d6d7fc
@@ -93,6 +93,7 @@
|
||||
#define WMI_MSEC_TO_USEC(msec) (msec * 1000) /* msec to usec */
|
||||
#define WMI_NLO_FREQ_THRESH 1000 /* in MHz */
|
||||
|
||||
#define WMI_SVC_MSG_MAX_SIZE 1536
|
||||
#define MAX_UTF_EVENT_LENGTH 2048
|
||||
#define MAX_WMI_UTF_LEN 252
|
||||
#define MAX_WMI_QVIT_LEN 252
|
||||
|
@@ -12447,6 +12447,13 @@ static QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle,
|
||||
if (wmi_handle->events_logs_list)
|
||||
qdf_mem_free(wmi_handle->events_logs_list);
|
||||
|
||||
if (num_of_diag_events_logs >
|
||||
(WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) {
|
||||
WMI_LOGE("%s: excess num of logs:%d", __func__,
|
||||
num_of_diag_events_logs);
|
||||
QDF_ASSERT(0);
|
||||
return QDF_STATUS_E_INVAL;
|
||||
}
|
||||
/* Store the event list for run time enable/disable */
|
||||
wmi_handle->events_logs_list = qdf_mem_malloc(num_of_diag_events_logs *
|
||||
sizeof(uint32_t));
|
||||
|
Reference in New Issue
Block a user