From 5920a4b83c384368b708a2c6f987966fdf13ba65 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Wed, 16 May 2018 18:51:32 +0530 Subject: [PATCH] qcacmn: Fix possible buffer overflow in send_stats_ext_req_cmd_tlv In the function __wlan_hdd_cfg80211_stats_ext_request, data_len is recieved from vendor command and is passed ultimately to send_stats_ext_req_cmd_tlv. In send_stats_ext_req_cmd_tlv, len is calculated as sum of sizeof(*cmd), WMI_TLV_HDR_SIZE, preq->request_data_len.The len is of type uint16_t and adding sizeof(*cmd) + WMI_TLV_HDR_SIZE will cause a buffer overflow. Changed the datatype of len to size_t so that it doesn't overflow. Change-Id: I6618042e3c60bbdb1ff5d833188f4bdb4832da7a CRs-Fixed: 2243169 --- wmi_unified_tlv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c index 4397b32d4f..864850ce0d 100644 --- a/wmi_unified_tlv.c +++ b/wmi_unified_tlv.c @@ -9294,7 +9294,7 @@ static QDF_STATUS send_stats_ext_req_cmd_tlv(wmi_unified_t wmi_handle, QDF_STATUS ret; wmi_req_stats_ext_cmd_fixed_param *cmd; wmi_buf_t buf; - uint16_t len; + size_t len; uint8_t *buf_ptr; len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len;