samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
程式碼 問題 合併請求 Actions 套件 專案 版本發布 Wiki 動態

qcacmn: Add length check in ndp event handler

瀏覽代碼 
qcacld-2.0 to qcacld-3.0 propagation

Add length check to prevent the data overflow the wmi buffer. The
total length of data should not exceed max svc msg size.

CRs-Fixed: 2248879
Change-Id: I1543732fcfe0cb7e32f7175f7775c9550854cae8
此提交包含在:
gaolez
2018-05-23 14:40:32 +08:00
提交者 nshrivas
父節點 00d767cbb7
當前提交 ab037cf5b5
共有 1 個檔案被更改,包括 44 行新增0 行删除
下載 Patch 檔 下載差異檔 展開所有檔案 折疊所有檔案

44
wmi_unified_tlv.c
查看文件

@@ -16503,6 +16503,7 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
{
WMI_NDP_INDICATION_EVENTID_param_tlvs *event;
wmi_ndp_indication_event_fixed_param *fixed_params;
size_t total_array_len;
event = (WMI_NDP_INDICATION_EVENTID_param_tlvs *)data;
fixed_params =
@@ -16521,6 +16522,31 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
return QDF_STATUS_E_INVAL;
}
if (fixed_params->ndp_cfg_len >
(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
__func__, fixed_params->ndp_cfg_len);
return QDF_STATUS_E_INVAL;
}
total_array_len = fixed_params->ndp_cfg_len +
sizeof(*fixed_params);
if (fixed_params->ndp_app_info_len >
(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
__func__, fixed_params->ndp_app_info_len);
return QDF_STATUS_E_INVAL;
}
total_array_len += fixed_params->ndp_app_info_len;
if (fixed_params->nan_scid_len >
(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
__func__, fixed_params->nan_scid_len);
return QDF_STATUS_E_INVAL;
}
rsp->vdev =
wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
fixed_params->vdev_id,
@@ -16580,6 +16606,7 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
{
WMI_NDP_CONFIRM_EVENTID_param_tlvs *event;
wmi_ndp_confirm_event_fixed_param *fixed_params;
size_t total_array_len;
event = (WMI_NDP_CONFIRM_EVENTID_param_tlvs *) data;
fixed_params = (wmi_ndp_confirm_event_fixed_param *)event->fixed_param;
@@ -16611,6 +16638,23 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
&event->ndp_app_info, fixed_params->ndp_app_info_len);
if (fixed_params->ndp_cfg_len >
(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
__func__, fixed_params->ndp_cfg_len);
return QDF_STATUS_E_INVAL;
}
total_array_len = fixed_params->ndp_cfg_len +
sizeof(*fixed_params);
if (fixed_params->ndp_app_info_len >
(WMI_SVC_MSG_MAX_SIZE - total_array_len)) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
__func__, fixed_params->ndp_app_info_len);
return QDF_STATUS_E_INVAL;
}
rsp->vdev =
wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
fixed_params->vdev_id,