qcacld-3.0: Fix buffer overflow in process_tx_info and process_rx_info

Currently data in "pl_tgt_hdr" is used directly from firmware without any length check which may cause buffer over-read. To address this issue add length check before accessing data offset Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a CRs-Fixed: 2148631
2018-01-24 17:40:30 +05:30
parent a9b2135b71
commit 504230b163
2 changed files with 15 additions and 1 deletions
--- a/core/dp/htt/htt_t2h.c
+++ b/core/dp/htt/htt_t2h.c
@@ -467,7 +467,16 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 #ifndef REMOVE_PKT_LOG
 	case HTT_T2H_MSG_TYPE_PKTLOG:
 	{
-		pktlog_process_fw_msg(msg_word + 1);
+		uint32_t len = qdf_nbuf_len(htt_t2h_msg);
+
+		if (len < sizeof(*msg_word) + sizeof(uint32_t)) {
+			qdf_print("%s: invalid nbuff len \n", __func__);
+			WARN_ON(1);
+			break;
+		}
+
+		/*len is reduced by sizeof(*msg_word)*/
+		pktlog_process_fw_msg(msg_word + 1, len - sizeof(*msg_word));
 		break;
 	}
 #endif
--- a/core/dp/txrx/ol_txrx_types.h
+++ b/core/dp/txrx/ol_txrx_types.h
@@ -1324,6 +1324,11 @@ struct ol_rx_remote_data {
 	uint8_t mac_id;
 };

+struct ol_fw_data {
+	void *data;
+	uint32_t len;
+};
+
 #define INVALID_REORDER_INDEX 0xFFFF

 #define SPS_DESC_SIZE 8