samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Vork 0
Code Kwesties Pull-aanvragen Actions Packages Projecten Publicaties Wiki Activiteit

qcacmn: Fix possible buffer overflow in send_stats_ext_req_cmd_tlv

Bladeren bron 
In the function __wlan_hdd_cfg80211_stats_ext_request,
data_len is recieved from vendor command and is passed ultimately
to send_stats_ext_req_cmd_tlv.  In send_stats_ext_req_cmd_tlv, len
is calculated as sum of sizeof(*cmd), WMI_TLV_HDR_SIZE,
preq->request_data_len.The len is of type uint16_t
and adding sizeof(*cmd) + WMI_TLV_HDR_SIZE will cause a buffer
overflow.

Changed the datatype of len to size_t so that it doesn't overflow.

Change-Id: I6618042e3c60bbdb1ff5d833188f4bdb4832da7a
CRs-Fixed: 2243169
This commit is contained in:
Pragaspathi Thilagaraj
2018-05-16 18:51:32 +05:30
gecommit door nshrivas
bovenliggende 1e8e057a77
commit e449244e9f
1 gewijzigde bestanden met toevoegingen van 1 en 1 verwijderingen
Download Patch-bestand Download Diff-bestand Expand all files Collapse all files

2
wmi/src/wmi_unified_tlv.c
Bestand weergeven

@@ -9294,7 +9294,7 @@ static QDF_STATUS send_stats_ext_req_cmd_tlv(wmi_unified_t wmi_handle,
QDF_STATUS ret; QDF_STATUS ret;
wmi_req_stats_ext_cmd_fixed_param *cmd; wmi_req_stats_ext_cmd_fixed_param *cmd;
wmi_buf_t buf; wmi_buf_t buf;
uint16_t len; size_t len;
uint8_t *buf_ptr; uint8_t *buf_ptr;
len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len; len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len;