Halaman utama Jelajahi Bantuan
Masuk
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

qcacmn: Add length check in ndp event handler

qcacld-2.0 to qcacld-3.0 propagation

Add length check to prevent the data overflow the wmi buffer. The
total length of data should not exceed max svc msg size.

CRs-Fixed: 2248879
Change-Id: I1543732fcfe0cb7e32f7175f7775c9550854cae8
gaolez 7 tahun lalu
induk
f40b2202d4
melakukan
9bb98176f3
1 mengubah file dengan 44 tambahan dan 0 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 44 0
      wmi/src/wmi_unified_tlv.c

+ 44 - 0
wmi/src/wmi_unified_tlv.c
Tampilan Berkas 

@@ -16503,6 +16503,7 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 
 {
 
 	WMI_NDP_INDICATION_EVENTID_param_tlvs *event;
 
 	wmi_ndp_indication_event_fixed_param *fixed_params;
 
+	size_t total_array_len;
 
 
 	event = (WMI_NDP_INDICATION_EVENTID_param_tlvs *)data;
 
 	fixed_params =
 
@@ -16521,6 +16522,31 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 
 		return QDF_STATUS_E_INVAL;
 
 	}
 
 
+	if (fixed_params->ndp_cfg_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_cfg_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
+	total_array_len = fixed_params->ndp_cfg_len +
 
+					sizeof(*fixed_params);
 
+
 
+	if (fixed_params->ndp_app_info_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_app_info_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+	total_array_len += fixed_params->ndp_app_info_len;
 
+
 
+	if (fixed_params->nan_scid_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->nan_scid_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
 	rsp->vdev =
 
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 
 						     fixed_params->vdev_id,
 
@@ -16580,6 +16606,7 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 
 {
 
 	WMI_NDP_CONFIRM_EVENTID_param_tlvs *event;
 
 	wmi_ndp_confirm_event_fixed_param *fixed_params;
 
+	size_t total_array_len;
 
 
 	event = (WMI_NDP_CONFIRM_EVENTID_param_tlvs *) data;
 
 	fixed_params = (wmi_ndp_confirm_event_fixed_param *)event->fixed_param;
 
@@ -16611,6 +16638,23 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
 
 		&event->ndp_app_info, fixed_params->ndp_app_info_len);
 
 
+	if (fixed_params->ndp_cfg_len >
 
+			(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_cfg_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
+	total_array_len = fixed_params->ndp_cfg_len +
 
+				sizeof(*fixed_params);
 
+
 
+	if (fixed_params->ndp_app_info_len >
 
+		(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
 
+		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
 
+			 __func__, fixed_params->ndp_app_info_len);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
 	rsp->vdev =
 
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 
 						     fixed_params->vdev_id,