首页 发现 帮助
登录
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

qcacld-3.0: Avoid integer overflow in wma_ndp_end_indication_event_handler

In function wma_ndp_end_indication_event_handler, num_ndp_end_indication_list
from the fw is used to calculate buf_size which is in turn used to malloc.
This could lead to potential integer overflow if num_ndp_end_indication_list
is a very high value.

Add check to validate num_ndp_end_indication_list does not exceed the max
message size from firmware.

Change-Id: Icbb763bfc14ec0ef8424cab50afa5c6826fd3c60
CRs-Fixed: 2114255
Vignesh Viswanathan 7 年之前
父节点
1a99fe0842
当前提交
a3963373f6
共有 1 个文件被更改,包括 7 次插入0 次删除
分列视图 显示文件统计
  1. 7 0
      core/wma/src/wma_nan_datapath.c

+ 7 - 0
core/wma/src/wma_nan_datapath.c
查看文件 

@@ -684,6 +684,13 @@ static int wma_ndp_end_indication_event_handler(void *handle,
 
 	WMA_LOGD(FL("number of ndp instances = %d"),
 
 		event->num_ndp_end_indication_list);
 
 
+	if (event->num_ndp_end_indication_list > ((WMI_SVC_MSG_MAX_SIZE -
 
+	    sizeof(*ndp_event_buf)) / sizeof(ndp_event_buf->ndp_map[0]))) {
 
+		WMA_LOGE("%s: excess data received from fw num_ndp_end_indication_list %d",
 
+			 __func__, event->num_ndp_end_indication_list);
 
+		return -EINVAL;
 
+	}
 
+
 
 	buf_size = sizeof(*ndp_event_buf) + event->num_ndp_end_indication_list *
 
 			sizeof(ndp_event_buf->ndp_map[0]);
 
 	ndp_event_buf = qdf_mem_malloc(buf_size);