qcacmn: Fix possible OOB in extract_ocb_dcc_stats_tlv

The correct element number of param_tlvs->stats_per_channel_list is actually param_tlvs->num_stats_per_channel_list and thus the qdf_mem_copy() can actually copy more bytes than are in the buffer causing a buffer overread. Fix it by checking fix_param->num_channels against the actually param_tlvs->num_stats_per_channel_list before doing memory copy. Change-Id: I610920ac1d0a927a52de83935616e8e8fdfec7e7 CRs-Fixed: 2428212
2019-04-04 15:50:14 +08:00
--- a/wmi/src/wmi_unified_ocb_tlv.c
+++ b/wmi/src/wmi_unified_ocb_tlv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -742,9 +742,11 @@ static QDF_STATUS extract_ocb_dcc_stats_tlv(wmi_unified_t wmi_handle,

 	/* Allocate and populate the response */
 	if (fix_param->num_channels > ((WMI_SVC_MSG_MAX_SIZE -
-	    sizeof(*fix_param)) / sizeof(wmi_dcc_ndl_stats_per_channel))) {
-		WMI_LOGE("%s: too many channels:%d", __func__,
-			 fix_param->num_channels);
+	    sizeof(*fix_param)) / sizeof(wmi_dcc_ndl_stats_per_channel)) ||
+	    fix_param->num_channels > param_tlvs->num_stats_per_channel_list) {
+		WMI_LOGE("%s: too many channels:%d actual:%d", __func__,
+			 fix_param->num_channels,
+			 param_tlvs->num_stats_per_channel_list);
 		QDF_ASSERT(0);
 		*resp = NULL;
 		return QDF_STATUS_E_INVAL;