From 66dfa5cfed7b91a656f4580959ebebf1ba3e9f42 Mon Sep 17 00:00:00 2001 From: Harprit Chhabada Date: Mon, 8 Oct 2018 14:45:35 -0700 Subject: [PATCH] qcacld-3.0: Add bound check for fixed_param->total_num_tx_power_levels Add bound check for new fixed_param->total_num_tx_power_levels with its old value of rs_results->total_num_tx_power_levels in wma_unified_radio_tx_power_level_stats_event_handler. rs_results->tx_time_per_power_level is allocated only once if it has not been already allocated.This allocation is saved into the global wma_handle structure. If multiple invocations of this handler occur then a buffer overflow can occur in the following scenario: 1. First message is used to allocate rs_results->tx_time_per_power_level with a small, but valid size. 2. Second message skips allocation of rs_results->tx_time_per_power_level since it was done with the first message. This message specifies a larger valid value and causes the qdf_mem_copy() to overflow. Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028 CRs-Fixed: 2327688 --- core/wma/src/wma_utils.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index c0f4fd2062..7682aad0d0 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -1524,6 +1524,14 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle, fixed_param->radio_id; tx_power_level_values = (uint8_t *) param_tlvs->tx_time_per_power_level; + if (fixed_param->total_num_tx_power_levels > + rs_results->total_num_tx_power_levels) { + WMA_LOGE("%s: excess tx_power buffers:%d, total_num_tx_power_levels:%d", + __func__, fixed_param->total_num_tx_power_levels, + rs_results->total_num_tx_power_levels); + return -EINVAL; + } + rs_results->total_num_tx_power_levels = fixed_param->total_num_tx_power_levels; if (!rs_results->total_num_tx_power_levels) {