samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Possible integer overflow in hdd apf read memory cb

Browse Source 
In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.

To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.

Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-fixed: 2436502
This commit is contained in:
Ashish Kumar Dhanotiya
2019-04-17 17:06:04 +05:30
committed by nshrivas
parent 43175c49ac
commit 7ba53e0e39
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/hdd/src/wlan_hdd_apf.c
View File

@@ -472,7 +472,8 @@ hdd_apf_read_memory_callback(void *hdd_context,
*/ */
pkt_offset = evt->offset - context->offset; pkt_offset = evt->offset - context->offset;
if (context->buf_len < pkt_offset + evt->length) { if ((pkt_offset > context->buf_len) ||
(context->buf_len - pkt_offset < evt->length)) {
hdd_err("Read chunk exceeding allocated space"); hdd_err("Read chunk exceeding allocated space");
return; return;
} }