Browse Source

qcacmn: Fix OOB in extract_service_ready_ext_tlv()

num_chainmask_tables used as a for loop variable in
extract_service_ready_ext_tlv(), is never bound check
and may lead to OOB.

Change-Id: Ib0fdde8386fc372abee44934e10e9f54b0fe25b8
CRS-Fixed: 2330943
Harprit Chhabada 6 years ago
parent
commit
d063d7486c
1 changed files with 7 additions and 0 deletions
  1. 7 0
      wmi/src/wmi_unified_tlv.c

+ 7 - 0
wmi/src/wmi_unified_tlv.c

@@ -9004,6 +9004,13 @@ static QDF_STATUS extract_service_ready_ext_tlv(wmi_unified_t wmi_handle,
 	} else
 		param->num_chainmask_tables = 0;
 
+	if (param->num_chainmask_tables > PSOC_MAX_CHAINMASK_TABLES ||
+	    param->num_chainmask_tables >
+		param_buf->num_mac_phy_chainmask_combo) {
+		wmi_err_rl("num_chainmask_tables is OOB: %u",
+			   param->num_chainmask_tables);
+		return QDF_STATUS_E_INVAL;
+	}
 	chain_mask_combo = param_buf->mac_phy_chainmask_combo;
 
 	if (chain_mask_combo == NULL)