From a79e7f2eed47e846fdca86b41280d3ee6b898f7a Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Fri, 22 Jun 2018 18:25:45 +0530 Subject: [PATCH] qcacmn: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler Data len received in encrypt decrypt data response is not validated against the max allowed size which can result in buffer overflow. Fix is to validate data len against max allowed size. Change-Id: I69bd8e63014220e5a2f291e4a0b1914d10c79fd7 CRs-Fixed: 2226375 --- wmi_unified_tlv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c index 4327481a63..a4feac07c7 100644 --- a/wmi_unified_tlv.c +++ b/wmi_unified_tlv.c @@ -5886,7 +5886,9 @@ QDF_STATUS extract_encrypt_decrypt_resp_event_tlv(wmi_unified_t wmi_handle, resp->vdev_id = data_event->vdev_id; resp->status = data_event->status; - if (data_event->data_length > param_buf->num_enc80211_frame) { + if ((data_event->data_length > param_buf->num_enc80211_frame) || + (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE - + sizeof(*data_event))) { WMI_LOGE("FW msg data_len %d more than TLV hdr %d", data_event->data_length, param_buf->num_enc80211_frame);