qcacmn: utils: Validate packet length, before processing PTT commands

There is a possibility of buffer overread while processing PTT commands, because of packet length check is missing. While processing PTT commands, validate packet length to make sure there is no buffer overread. Change-Id: I65b2839b0812fc8b2421e4d73e14a05620411c53 CRs-Fixed: 2121017
2017-10-04 16:30:45 +05:30
commit 73112fd8aa
--- a/utils/ptt/src/wlan_ptt_sock_svc.c
+++ b/utils/ptt/src/wlan_ptt_sock_svc.c
@@ -270,6 +270,7 @@ static int ptt_sock_rx_nlink_msg(struct sk_buff *skb)
 */
 static void ptt_cmd_handler(const void *data, int data_len, void *ctx, int pid)
 {
+	uint16_t length;
 	struct sptt_app_reg_req *payload;
 	struct nlattr *tb[CLD80211_ATTR_MAX + 1];

@@ -295,6 +296,23 @@ static void ptt_cmd_handler(const void *data, int data_len, void *ctx, int pid)
 	}

 	payload = (struct sptt_app_reg_req *)(nla_data(tb[CLD80211_ATTR_DATA]));
+	length = be16_to_cpu(payload->wmsg.length);
+	if ((USHRT_MAX - length) < (sizeof(payload->radio) + sizeof(tAniHdr))) {
+		PTT_TRACE(QDF_TRACE_LEVEL_ERROR,
+			"u16 overflow length %d %zu %zu",
+			length,
+			sizeof(payload->radio),
+			sizeof(tAniHdr));
+		return;
+	}
+
+	if (nla_len(tb[CLD80211_ATTR_DATA]) <  (length +
+						sizeof(payload->radio) +
+						sizeof(tAniHdr))) {
+		PTT_TRACE(VOS_TRACE_LEVEL_ERROR, "ATTR_DATA len check failed");
+		return;
+	}
+
 	switch (payload->wmsg.type) {
 	case ANI_MSG_APP_REG_REQ:
 		ptt_sock_send_msg_to_app(&payload->wmsg, payload->radio,