From c352d6073172d79d731ae7349af910debf717d77 Mon Sep 17 00:00:00 2001 From: Vignesh Viswanathan Date: Fri, 15 Jun 2018 12:42:45 +0530 Subject: [PATCH] qcacmn: Fix Uninitialized byte sent to FW in wmi_unified_cmd_send In wmi_unified_cmd_send, the skb head is pushed by size of WMI_CMD_HDR and then the commandId is initialized in the header. However 1 byte of reserved memory in the WMI_CMD_HDR is not initialized and is sent to the FW as it is and this might lead to exposure of 1 byte of kernel memory to FW. Initialize the WMI_CMD_HDR to zero once the skb head is pushed and then set the commandId in the header. Change-Id: I89fd5401105cd9c61674a63aac5aa88fb20cc41a CRs-Fixed: 2257688 --- wmi/src/wmi_unified.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wmi/src/wmi_unified.c b/wmi/src/wmi_unified.c index ae41e9d79e..1db454b923 100644 --- a/wmi/src/wmi_unified.c +++ b/wmi/src/wmi_unified.c @@ -1387,6 +1387,7 @@ QDF_STATUS wmi_unified_cmd_send(wmi_unified_t wmi_handle, wmi_buf_t buf, return QDF_STATUS_E_NOMEM; } + qdf_mem_zero(qdf_nbuf_data(buf), sizeof(WMI_CMD_HDR)); WMI_SET_FIELD(qdf_nbuf_data(buf), WMI_CMD_HDR, COMMANDID, cmd_id); qdf_atomic_inc(&wmi_handle->pending_cmds);