From 750f71a5e6996ff556134add0a6403acde2c0c04 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Tue, 26 Feb 2019 23:22:39 +0530 Subject: [PATCH] qcacmn: Fix possible buffer overflow in send_scan_start_cmd_tlv In the function send_scan_start_cmd_tlv(), extraie_len_with_pad is computed as roundup(params->extraie.len, sizeof(uint32_t)). But extraie_len_with_pad is of type uint8_t. This causes integeroverflow of extraie_len_with_pad. The length of the wmi command buffer for scan command (len) is incremented by this extraie_len_with_pad to allocate memory for the additional IEs that are passed from upper layer to the firmware. But when params->extraie.len is greater than 255, extraie_len_with_pad overflows and obtains lower value. This causes lower wmi buffer length allocation but the copy is done for entire params->extraie.len resulting in overwriting of the skb that is passed to firmware. This causes host assert when this skb is freed. Change the data type of extraie_len_with_pad to uint16_t from uint8_t as the additional IE sent from upper layer can have a maximum length of 2048. Also change the data type of len from int to size_t to avoid overflow of len. Change-Id: I11fae83a85a3f787b37e47df97ffc4b183cba913 CRs-Fixed: 2405641 --- wmi/src/wmi_unified_tlv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 26243cbc57..19dae104c5 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -2452,8 +2452,8 @@ static QDF_STATUS send_scan_start_cmd_tlv(wmi_unified_t wmi_handle, uint32_t *tmp_ptr; wmi_ssid *ssid = NULL; wmi_mac_addr *bssid; - int len = sizeof(*cmd); - uint8_t extraie_len_with_pad = 0; + size_t len = sizeof(*cmd); + uint16_t extraie_len_with_pad = 0; uint8_t phymode_roundup = 0; struct probe_req_whitelist_attr *ie_whitelist = ¶ms->ie_whitelist;