qcacmn: Fix Integer Overflow Leading to Buffer Overflow

wmi_buf_alloc() API expects length to be passed of type uint16_t. However, the callers pass uint32_t to it. This might result in overflow and illegal memory access thereafter. The fix is to modify the API signature accordingly. Change-Id: If09da4978d421269b884f7d3c933c49c81651475 CRs-Fixed: 2218346
2018-04-04 17:17:55 +05:30
parent da542178c9
commit 78495ce966
2 changed files with 5 additions and 5 deletions
--- a/wmi/inc/wmi_unified_api.h
+++ b/wmi/inc/wmi_unified_api.h
@@ -195,10 +195,10 @@ wmi_unified_remove_work(struct wmi_unified *wmi_handle);
 #ifdef NBUF_MEMORY_DEBUG
 #define wmi_buf_alloc(h, l) wmi_buf_alloc_debug(h, l, __FILE__, __LINE__)
 wmi_buf_t
-wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len,
+wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len,
 		    uint8_t *file_name, uint32_t line_num);
 #else
-wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len);
+wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
 #endif
 /**
--- a/wmi/src/wmi_unified.c
+++ b/wmi/src/wmi_unified.c
@@ -1209,8 +1209,8 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle);
 #ifdef NBUF_MEMORY_DEBUG
 wmi_buf_t
-wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name,
+wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name,
-			uint32_t line_num)
+		    uint32_t line_num)
 {
 	wmi_buf_t wmi_buf;
@@ -1245,7 +1245,7 @@ void wmi_buf_free(wmi_buf_t net_buf)
 }
 qdf_export_symbol(wmi_buf_free);
 #else
-wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len)
+wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
 {
 	wmi_buf_t wmi_buf;