From 1f8ca56f1adc73cd8127a70177342cc6e4bef5e6 Mon Sep 17 00:00:00 2001
From: Surya Prakash Sivaraj <suryapra@codeaurora.org>
Date: Thu, 5 Aug 2021 11:13:12 +0530
Subject: [PATCH] qcacmn: Validate the buffer length in rx mgmt handler

In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.

Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
---
 wmi/src/wmi_unified_tlv.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 9957799074..159720339b 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -10591,6 +10591,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_INVAL;
 	}
 
+	if (ev_hdr->buf_len > param_tlvs->num_bufp) {
+		wmi_err("Rx mgmt frame length mismatch, discard it");
+		return QDF_STATUS_E_INVAL;
+	}
+
 	hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
 							wmi_handle,
 							ev_hdr->pdev_id);