From b69d6e0499599610ebd73b23dccd1bdb3f2b6410 Mon Sep 17 00:00:00 2001 From: Surabhi Vishnoi Date: Tue, 14 Sep 2021 10:55:14 +0530 Subject: [PATCH] qcacmn: Fix possible OOB write in extract_time_sync_ftm_offset_event_tlv In extract_time_sync_ftm_offset_event_tlv there is a possible OOB write when value of num_qtime received from firmware is greater than FTM_TIME_SYNC_QTIME_PAIR_MAX. Fix is to add a sanity check for value of num_qtime received from firmware to avoid the OOB write. Change-Id: I6e57b1d716992d1a3c7d2f7ea911fefcbfbeff34 CRs-Fixed: 3033509 --- wmi/src/wmi_unified_tlv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 5b588000b4..27e290650e 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -15525,6 +15525,9 @@ extract_time_sync_ftm_offset_event_tlv(wmi_unified_t wmi, void *buf, param->vdev_id = resp_event->vdev_id; param->num_qtime = param_buf->num_audio_sync_q_master_slave_times; + if (param->num_qtime > FTM_TIME_SYNC_QTIME_PAIR_MAX) + param->num_qtime = FTM_TIME_SYNC_QTIME_PAIR_MAX; + q_pair = param_buf->audio_sync_q_master_slave_times; if (!q_pair) { wmi_err("Invalid q_master_slave_times buffer");