|
|
@@ -10424,6 +10424,18 @@ static QDF_STATUS send_nan_req_cmd_tlv(wmi_unified_t wmi_handle,
|
|
|
nan_data_len = nan_req->request_data_len;
|
|
|
nan_data_len_aligned = roundup(nan_req->request_data_len,
|
|
|
sizeof(uint32_t));
|
|
|
+ if (nan_data_len_aligned < nan_req->request_data_len) {
|
|
|
+ WMI_LOGE("%s: integer overflow while rounding up data_len",
|
|
|
+ __func__);
|
|
|
+ return QDF_STATUS_E_FAILURE;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (nan_data_len_aligned > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE) {
|
|
|
+ WMI_LOGE("%s: wmi_max_msg_size overflow for given datalen",
|
|
|
+ __func__);
|
|
|
+ return QDF_STATUS_E_FAILURE;
|
|
|
+ }
|
|
|
+
|
|
|
len += WMI_TLV_HDR_SIZE + nan_data_len_aligned;
|
|
|
buf = wmi_buf_alloc(wmi_handle, len);
|
|
|
if (!buf) {
|
Naveen Rawat