qcacmn: Fix possible OOB read in extract_pdev_utf_event_tlv
The function extract_pdev_utf_event_tlv, is called when the WMI event WMI_PDEV_UTF_EVENTID is received. The event_buf argument to it is fully FW controlled. There is an assumption that the WMI message is at least the size of struct wmi_host_utf_seg_header_info which could lead to OOB read issues when a shorter message is sent. Add fix to validate the event->datalen passed against sizeof(struct wmi_host_utf_seg_header_info) before copying to seg_hdr. Change-Id: I1a8313f11013722edb601c009e59b1509fda3280 CRs-Fixed: 2305465
This commit is contained in:
Pragaspathi Thilagaraj
committed by
nshrivas
nshrivas
父節點
3777304934
當前提交
d8d0e15e67
@@ -19208,6 +19208,11 @@ static QDF_STATUS extract_pdev_utf_event_tlv(wmi_unified_t wmi_handle,
|
||||
param_buf = (WMI_PDEV_UTF_EVENTID_param_tlvs *)evt_buf;
|
||||
event->data = param_buf->data;
|
||||
event->datalen = param_buf->num_data;
|
||||
|
||||
if (event->datalen < sizeof(struct wmi_host_utf_seg_header_info)) {
|
||||
WMI_LOGE("%s: Invalid datalen: %d ", __func__, event->datalen);
|
||||
return QDF_STATUS_E_INVAL;
|
||||
}
|
||||
seg_hdr = (struct wmi_host_utf_seg_header_info *)param_buf->data;
|
||||
/* Set pdev_id=1 until FW adds support to include pdev_id */
|
||||
event->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
|
||||
|
||||
Reference in New Issue
Block a user