From 9d1359fa510cbf6f18dd04b34afa224f8538a697 Mon Sep 17 00:00:00 2001 From: Debasis Das Date: Wed, 4 Apr 2018 17:17:55 +0530 Subject: [PATCH] qcacmn: Fix Integer Overflow Leading to Buffer Overflow wmi_buf_alloc() API expects length to be passed of type uint16_t. However, the callers pass uint32_t to it. This might result in overflow and illegal memory access thereafter. The fix is to modify the API signature accordingly. Change-Id: If09da4978d421269b884f7d3c933c49c81651475 CRs-Fixed: 2218346 --- wmi_unified_api.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wmi_unified_api.h b/wmi_unified_api.h index 680226abe7..f8cf143eb1 100644 --- a/wmi_unified_api.h +++ b/wmi_unified_api.h @@ -195,10 +195,10 @@ wmi_unified_remove_work(struct wmi_unified *wmi_handle); #ifdef NBUF_MEMORY_DEBUG #define wmi_buf_alloc(h, l) wmi_buf_alloc_debug(h, l, __FILE__, __LINE__) wmi_buf_t -wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, +wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name, uint32_t line_num); #else -wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len); +wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len); #endif /**