Начало Каталог Помощ
Вход
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
Преглед на файлове

qcacmn: Add length check in ndp event handler

qcacld-2.0 to qcacld-3.0 propagation

Add length check to prevent the data overflow the wmi buffer. The
total length of data should not exceed max svc msg size.

CRs-Fixed: 2248879
Change-Id: I1543732fcfe0cb7e32f7175f7775c9550854cae8
gaolez преди 7 години
родител
f40b2202d4
ревизия
9bb98176f3
променени са 1 файла, в които са добавени 44 реда и са изтрити 0 реда
Разделен изглед Покажи статистика за разликите
  1. 44 0
      wmi/src/wmi_unified_tlv.c

+ 44 - 0
wmi/src/wmi_unified_tlv.c
Целия файл 

@@ -16503,6 +16503,7 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 
 {
 
 	WMI_NDP_INDICATION_EVENTID_param_tlvs *event;
 
 	wmi_ndp_indication_event_fixed_param *fixed_params;
 
+	size_t total_array_len;
 
 
 	event = (WMI_NDP_INDICATION_EVENTID_param_tlvs *)data;
 
 	fixed_params =
 
@@ -16521,6 +16522,31 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 
 		return QDF_STATUS_E_INVAL;
 
 	}
 
 
+	if (fixed_params->ndp_cfg_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_cfg_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
+	total_array_len = fixed_params->ndp_cfg_len +
 
+					sizeof(*fixed_params);
 
+
 
+	if (fixed_params->ndp_app_info_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_app_info_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+	total_array_len += fixed_params->ndp_app_info_len;
 
+
 
+	if (fixed_params->nan_scid_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->nan_scid_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
 	rsp->vdev =
 
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 
 						     fixed_params->vdev_id,
 
@@ -16580,6 +16606,7 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 
 {
 
 	WMI_NDP_CONFIRM_EVENTID_param_tlvs *event;
 
 	wmi_ndp_confirm_event_fixed_param *fixed_params;
 
+	size_t total_array_len;
 
 
 	event = (WMI_NDP_CONFIRM_EVENTID_param_tlvs *) data;
 
 	fixed_params = (wmi_ndp_confirm_event_fixed_param *)event->fixed_param;
 
@@ -16611,6 +16638,23 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
 
 		&event->ndp_app_info, fixed_params->ndp_app_info_len);
 
 
+	if (fixed_params->ndp_cfg_len >
 
+			(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_cfg_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
+	total_array_len = fixed_params->ndp_cfg_len +
 
+				sizeof(*fixed_params);
 
+
 
+	if (fixed_params->ndp_app_info_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_app_info_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
 	rsp->vdev =
 
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 
 						     fixed_params->vdev_id,