qcacld-3.0: Fix an OOB issue in bmi_sign_stream_start()
Remaining may be greater than its original value when (remaining & 0x3)!=0, then OOB occurs when memcpy.To address this, align the remaining after doing memcpy. Change-Id: I3e39a791a76a272e82beb6561375e26ca84ec0f4 CRs-Fixed: 2259721
这个提交包含在:
Lihua Liu
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
|
* Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and/or distribute this software for
|
* Permission to use, copy, modify, and/or distribute this software for
|
||||||
* any purpose with or without fee is hereby granted, provided that the
|
* any purpose with or without fee is hereby granted, provided that the
|
||||||
@@ -414,8 +414,8 @@ QDF_STATUS bmi_sign_stream_start(uint32_t address, uint8_t *buffer,
|
|||||||
src = &buffer[length - remaining];
|
src = &buffer[length - remaining];
|
||||||
if (remaining < (BMI_DATASZ_MAX - header)) {
|
if (remaining < (BMI_DATASZ_MAX - header)) {
|
||||||
if (remaining & 0x3) {
|
if (remaining & 0x3) {
|
||||||
remaining = remaining + (4 - (remaining & 0x3));
|
|
||||||
memcpy(aligned_buf, src, remaining);
|
memcpy(aligned_buf, src, remaining);
|
||||||
|
remaining = remaining + (4 - (remaining & 0x3));
|
||||||
src = aligned_buf;
|
src = aligned_buf;
|
||||||
}
|
}
|
||||||
txlen = remaining;
|
txlen = remaining;
|
||||||
|
|||||||
在新工单中引用
屏蔽一个用户