samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix possible OOB write in extract_time_sync_ftm_offset_event_tlv

Browse Source 
In extract_time_sync_ftm_offset_event_tlv there is a possible
OOB write when value of num_qtime received from firmware is
greater than FTM_TIME_SYNC_QTIME_PAIR_MAX.

Fix is to add a sanity check for value of num_qtime received from
firmware to avoid the OOB write.

Change-Id: I6e57b1d716992d1a3c7d2f7ea911fefcbfbeff34
CRs-Fixed: 3033509
This commit is contained in:
Surabhi Vishnoi
2021-09-14 10:55:14 +05:30
committed by Madan Koyyalamudi
parent 6f20be8754
commit b69d6e0499
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
wmi/src/wmi_unified_tlv.c
View File

@@ -15525,6 +15525,9 @@ extract_time_sync_ftm_offset_event_tlv(wmi_unified_t wmi, void *buf,
param->vdev_id = resp_event->vdev_id;
param->num_qtime = param_buf->num_audio_sync_q_master_slave_times;
if (param->num_qtime > FTM_TIME_SYNC_QTIME_PAIR_MAX)
param->num_qtime = FTM_TIME_SYNC_QTIME_PAIR_MAX;
q_pair = param_buf->audio_sync_q_master_slave_times;
if (!q_pair) {
wmi_err("Invalid q_master_slave_times buffer");