首頁 探索 說明
登入
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

qcacmn: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler

Data len received in encrypt decrypt data response
is not validated against the max allowed size which
can result in buffer overflow.

Fix is to validate data len against max allowed size.

Change-Id: I69bd8e63014220e5a2f291e4a0b1914d10c79fd7
CRs-Fixed: 2226375
Yeshwanth Sriram Guntuka 7 年之前
父節點
686253e1f1
當前提交
985e8440d5
共有 1 個文件被更改,包括 3 次插入1 次删除
分割檢視 顯示文件統計
  1. 3 1
      wmi/src/wmi_unified_tlv.c

+ 3 - 1
wmi/src/wmi_unified_tlv.c
查看文件 

@@ -5886,7 +5886,9 @@ QDF_STATUS extract_encrypt_decrypt_resp_event_tlv(wmi_unified_t wmi_handle,
 
 	resp->vdev_id = data_event->vdev_id;
 
 	resp->status = data_event->status;
 
 
-	if (data_event->data_length > param_buf->num_enc80211_frame) {
 
+	if ((data_event->data_length > param_buf->num_enc80211_frame) ||
 
+	    (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE -
 
+	     sizeof(*data_event))) {
 
 		WMI_LOGE("FW msg data_len %d more than TLV hdr %d",
 
 			 data_event->data_length,
 
 			 param_buf->num_enc80211_frame);