From 7ba53e0e39321a66bc3bc8f740d49e816dca018e Mon Sep 17 00:00:00 2001 From: Ashish Kumar Dhanotiya Date: Wed, 17 Apr 2019 17:06:04 +0530 Subject: [PATCH] qcacld-3.0: Possible integer overflow in hdd apf read memory cb In hdd_apf_read_memory_cb, context buffer length is checked against sum of packet offset and event length, packet offset and event length are extracted from FW response and can lead to integer overflow, which will allow to pass the length check and eventually will lead to buffer overwrite when event data is copied to context buffer. To avoid this issue, validate the event length against the available length in the context buffer, which can be obtained by getting difference of packet offset from the context buffer length. Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d CRs-fixed: 2436502 --- core/hdd/src/wlan_hdd_apf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/hdd/src/wlan_hdd_apf.c b/core/hdd/src/wlan_hdd_apf.c index 9e0c42022e..723d34d57c 100644 --- a/core/hdd/src/wlan_hdd_apf.c +++ b/core/hdd/src/wlan_hdd_apf.c @@ -472,7 +472,8 @@ hdd_apf_read_memory_callback(void *hdd_context, */ pkt_offset = evt->offset - context->offset; - if (context->buf_len < pkt_offset + evt->length) { + if ((pkt_offset > context->buf_len) || + (context->buf_len - pkt_offset < evt->length)) { hdd_err("Read chunk exceeding allocated space"); return; }