samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Validate the buffer length in rx mgmt handler

Browse Source 
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.

Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
This commit is contained in:
Surya Prakash Sivaraj
2021-08-05 11:13:12 +05:30
committed by Madan Koyyalamudi
parent 39f2f9dcfa
commit 1f8ca56f1a
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
wmi/src/wmi_unified_tlv.c
View File

@@ -10591,6 +10591,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle,
return QDF_STATUS_E_INVAL; return QDF_STATUS_E_INVAL;
} }
if (ev_hdr->buf_len > param_tlvs->num_bufp) {
wmi_err("Rx mgmt frame length mismatch, discard it");
return QDF_STATUS_E_INVAL;
}
hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host( hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
wmi_handle, wmi_handle,
ev_hdr->pdev_id); ev_hdr->pdev_id);