qcacmn: Fix buffer overflow in fill_ieee80211_hdr_data
Currently variable pl_msdu_info->num_msdu is from message, and is used directly as array size. This may cause buffer overflow. To address this issue add qdf_assert check. Change-Id: Ice78633314b321243136ce4987c633e1201d3cb8 CRs-Fixed: 2187441
This commit is contained in:
Alok Kumar
@@ -280,6 +280,13 @@ fill_ieee80211_hdr_data(struct cdp_pdev *pdev,
|
|||||||
pl_msdu_info->priv_size = sizeof(uint32_t) *
|
pl_msdu_info->priv_size = sizeof(uint32_t) *
|
||||||
pl_msdu_info->num_msdu + sizeof(uint32_t);
|
pl_msdu_info->num_msdu + sizeof(uint32_t);
|
||||||
|
|
||||||
|
if (pl_msdu_info->num_msdu > MAX_PKT_INFO_MSDU_ID) {
|
||||||
|
QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
|
||||||
|
"%s: Invalid num_msdu count",
|
||||||
|
__func__);
|
||||||
|
qdf_assert(0);
|
||||||
|
return;
|
||||||
|
}
|
||||||
for (i = 0; i < pl_msdu_info->num_msdu; i++) {
|
for (i = 0; i < pl_msdu_info->num_msdu; i++) {
|
||||||
/*
|
/*
|
||||||
* Handle big endianness
|
* Handle big endianness
|
||||||
|
|||||||
مرجع در شماره جدید
Block a user