samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add sanity check to avoid len overflow issue in WMI event data

Browse Source 
In WMI/WMA, data from event buffer from FW is used without
sanity checks for upper limit in multiple places. This might
lead to a potential integer overflow further leading to buffer
corruption

Add upper bound checks for max limit of event buffer (1536)
in all affected places to prevent the potential integer
overflow

Change-Id: Ic9194a27c4a4c63fc68ff7fc61165a53e66ca4f4
CRs-Fixed: 2095545
This commit is contained in:
Varun Reddy Yeturu
2017-08-20 13:41:02 -07:00
committed by snandini
parent de5223472b
commit c799752ca9
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
wmi_unified_tlv.c
View File

@@ -12447,6 +12447,13 @@ static QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle,
if (wmi_handle->events_logs_list) if (wmi_handle->events_logs_list)
qdf_mem_free(wmi_handle->events_logs_list); qdf_mem_free(wmi_handle->events_logs_list);
if (num_of_diag_events_logs >
(WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) {
WMI_LOGE("%s: excess num of logs:%d", __func__,
num_of_diag_events_logs);
QDF_ASSERT(0);
return QDF_STATUS_E_INVAL;
}
/* Store the event list for run time enable/disable */ /* Store the event list for run time enable/disable */
wmi_handle->events_logs_list = qdf_mem_malloc(num_of_diag_events_logs * wmi_handle->events_logs_list = qdf_mem_malloc(num_of_diag_events_logs *
sizeof(uint32_t)); sizeof(uint32_t));