qcacmn: Check for buffer overflow for diag messages

Check for buffer overflow from diag messages. Change-Id: I5ff85b24b0e26393343dc4cc4c41a9f84e6ba8e9 CRs-Fixed: 2129586
2017-10-17 11:22:31 -07:00
--- a/utils/fwlog/dbglog_host.c
+++ b/utils/fwlog/dbglog_host.c
@@ -1686,18 +1686,22 @@ static int send_fw_diag_nl_data(const uint8_t *buffer, A_UINT32 len,
 static int
 process_fw_diag_event_data(uint8_t *datap, uint32_t num_data)
 {
-	uint32_t i;
 	uint32_t diag_type;
 	uint32_t nl_data_len; /* diag hdr + payload */
 	uint32_t diag_data_len; /* each fw diag payload */
 	struct wlan_diag_data *diag_data;

-	for (i = 0; i < num_data; i++) {
+	while (num_data > 0) {
 		diag_data = (struct wlan_diag_data *)datap;
 		diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0);
 		diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0);
 		/* Length of diag struct and len of payload */
 		nl_data_len = sizeof(struct wlan_diag_data) + diag_data_len;
+		if (nl_data_len > num_data) {
+			AR_DEBUG_PRINTF(ATH_DEBUG_INFO,
+					("processed all the messages\n"));
+			return 0;
+		}

 		switch (diag_type) {
 		case DIAG_TYPE_FW_EVENT:
@@ -1711,6 +1715,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data)
 		}
 		/* Move to the next event and send to cnss-diag */
 		datap += nl_data_len;
+		num_data -= nl_data_len;
 	}

 	return 0;