Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Fix Integer Overflow Leading to Buffer Overflow

wmi_buf_alloc() API expects length to be passed of type
uint16_t. However, the callers pass uint32_t to it.
This might result in overflow and illegal memory access
thereafter. The fix is to modify the API signature accordingly.

Change-Id: If09da4978d421269b884f7d3c933c49c81651475
CRs-Fixed: 2218346
Debasis Das 7 years ago
parent
da542178c9
commit
78495ce966
2 changed files with 5 additions and 5 deletions
Split View Show Diff Stats
  1. 2 2
      wmi/inc/wmi_unified_api.h
  2. 3 3
      wmi/src/wmi_unified.c

+ 2 - 2
wmi/inc/wmi_unified_api.h
View File 

@@ -195,10 +195,10 @@ wmi_unified_remove_work(struct wmi_unified *wmi_handle);
 
 #ifdef NBUF_MEMORY_DEBUG
 
 #define wmi_buf_alloc(h, l) wmi_buf_alloc_debug(h, l, __FILE__, __LINE__)
 
 wmi_buf_t
 
-wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len,
 
+wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len,
 
 		    uint8_t *file_name, uint32_t line_num);
 
 #else
 
-wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len);
 
+wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
 
 #endif
 
 
 /**

+ 3 - 3
wmi/src/wmi_unified.c
View File 

@@ -1209,8 +1209,8 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle);
 
 
 #ifdef NBUF_MEMORY_DEBUG
 
 wmi_buf_t
 
-wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name,
 
-			uint32_t line_num)
 
+wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name,
 
+		    uint32_t line_num)
 
 {
 
 	wmi_buf_t wmi_buf;
 
 
@@ -1245,7 +1245,7 @@ void wmi_buf_free(wmi_buf_t net_buf)
 
 }
 
 qdf_export_symbol(wmi_buf_free);
 
 #else
 
-wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len)
 
+wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
 
 {
 
 	wmi_buf_t wmi_buf;