From 78495ce9665a210b3aee685fc51dcc88f1dcf024 Mon Sep 17 00:00:00 2001 From: Debasis Das Date: Wed, 4 Apr 2018 17:17:55 +0530 Subject: [PATCH] qcacmn: Fix Integer Overflow Leading to Buffer Overflow wmi_buf_alloc() API expects length to be passed of type uint16_t. However, the callers pass uint32_t to it. This might result in overflow and illegal memory access thereafter. The fix is to modify the API signature accordingly. Change-Id: If09da4978d421269b884f7d3c933c49c81651475 CRs-Fixed: 2218346 --- wmi/inc/wmi_unified_api.h | 4 ++-- wmi/src/wmi_unified.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/wmi/inc/wmi_unified_api.h b/wmi/inc/wmi_unified_api.h index 680226abe7..f8cf143eb1 100644 --- a/wmi/inc/wmi_unified_api.h +++ b/wmi/inc/wmi_unified_api.h @@ -195,10 +195,10 @@ wmi_unified_remove_work(struct wmi_unified *wmi_handle); #ifdef NBUF_MEMORY_DEBUG #define wmi_buf_alloc(h, l) wmi_buf_alloc_debug(h, l, __FILE__, __LINE__) wmi_buf_t -wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, +wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name, uint32_t line_num); #else -wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len); +wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len); #endif /** diff --git a/wmi/src/wmi_unified.c b/wmi/src/wmi_unified.c index 1db454b923..6ecf198502 100644 --- a/wmi/src/wmi_unified.c +++ b/wmi/src/wmi_unified.c @@ -1209,8 +1209,8 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle); #ifdef NBUF_MEMORY_DEBUG wmi_buf_t -wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name, - uint32_t line_num) +wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name, + uint32_t line_num) { wmi_buf_t wmi_buf; @@ -1245,7 +1245,7 @@ void wmi_buf_free(wmi_buf_t net_buf) } qdf_export_symbol(wmi_buf_free); #else -wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len) +wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len) { wmi_buf_t wmi_buf;