Accueil Explorer Aide
Connexion
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

qcacmn: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler

Data len received in encrypt decrypt data response
is not validated against the max allowed size which
can result in buffer overflow.

Fix is to validate data len against max allowed size.

Change-Id: I69bd8e63014220e5a2f291e4a0b1914d10c79fd7
CRs-Fixed: 2226375
Yeshwanth Sriram Guntuka il y a 6 ans
Parent
686253e1f1
commit
985e8440d5
1 fichiers modifiés avec 3 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 3 1
      wmi/src/wmi_unified_tlv.c

+ 3 - 1
wmi/src/wmi_unified_tlv.c
Voir le fichier 

@@ -5886,7 +5886,9 @@ QDF_STATUS extract_encrypt_decrypt_resp_event_tlv(wmi_unified_t wmi_handle,
 
 	resp->vdev_id = data_event->vdev_id;
 
 	resp->status = data_event->status;
 
 
-	if (data_event->data_length > param_buf->num_enc80211_frame) {
 
+	if ((data_event->data_length > param_buf->num_enc80211_frame) ||
 
+	    (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE -
 
+	     sizeof(*data_event))) {
 
 		WMI_LOGE("FW msg data_len %d more than TLV hdr %d",
 
 			 data_event->data_length,
 
 			 param_buf->num_enc80211_frame);