qcacmn: Fix possible OOB read in extract_reg_cap_service_ready_ext_tlv

OOB read can occur while handling WMI_SERVICE_READY_EXT_EVENTID event
when large invalid num_phy received in that event, as this value is used
as index to array.

Change-Id: I0e80d04d19160e219028b07599a8b9953a798fb2
CRs-Fixed: 2374726
This commit is contained in:
Arif Hussain
2019-01-17 15:00:33 -08:00
committed by nshrivas
vanhempi 1f55ed1a9f
commit 2028c7f543

Näytä tiedosto

@@ -9337,6 +9337,9 @@ static QDF_STATUS extract_reg_cap_service_ready_ext_tlv(
if (!reg_caps)
return QDF_STATUS_E_INVAL;
if (reg_caps->num_phy > param_buf->num_hal_reg_caps)
return QDF_STATUS_E_INVAL;
if (phy_idx >= reg_caps->num_phy)
return QDF_STATUS_E_INVAL;