Sākums Izpētīt Palīdzība
Pierakstīties
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

qcacld-3.0: Avoid integer overflow in wma_ndp_end_indication_event_handler

In function wma_ndp_end_indication_event_handler, num_ndp_end_indication_list
from the fw is used to calculate buf_size which is in turn used to malloc.
This could lead to potential integer overflow if num_ndp_end_indication_list
is a very high value.

Add check to validate num_ndp_end_indication_list does not exceed the max
message size from firmware.

Change-Id: Icbb763bfc14ec0ef8424cab50afa5c6826fd3c60
CRs-Fixed: 2114255
Vignesh Viswanathan 7 gadi atpakaļ
vecāks
1a99fe0842
revīzija
a3963373f6
1 mainītis faili ar 7 papildinājumiem un 0 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 7 0
      core/wma/src/wma_nan_datapath.c

+ 7 - 0
core/wma/src/wma_nan_datapath.c
Parādīt failu 

@@ -684,6 +684,13 @@ static int wma_ndp_end_indication_event_handler(void *handle,
 
 	WMA_LOGD(FL("number of ndp instances = %d"),
 
 		event->num_ndp_end_indication_list);
 
 
+	if (event->num_ndp_end_indication_list > ((WMI_SVC_MSG_MAX_SIZE -
 
+	    sizeof(*ndp_event_buf)) / sizeof(ndp_event_buf->ndp_map[0]))) {
 
+		WMA_LOGE("%s: excess data received from fw num_ndp_end_indication_list %d",
 
+			 __func__, event->num_ndp_end_indication_list);
 
+		return -EINVAL;
 
+	}
 
+
 
 	buf_size = sizeof(*ndp_event_buf) + event->num_ndp_end_indication_list *
 
 			sizeof(ndp_event_buf->ndp_map[0]);
 
 	ndp_event_buf = qdf_mem_malloc(buf_size);