samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix Integer Overflow Leading to Buffer Overflow

Browse Source 
wmi_buf_alloc() API expects length to be passed of type
uint16_t. However, the callers pass uint32_t to it.
This might result in overflow and illegal memory access
thereafter. The fix is to modify the API signature accordingly.

Change-Id: If09da4978d421269b884f7d3c933c49c81651475
CRs-Fixed: 2218346
This commit is contained in:
Debasis Das
2018-04-04 17:17:55 +05:30
committed by nshrivas
parent ed200e5218
commit eaf8a8bd28
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wmi_unified.c
View File

@@ -1209,7 +1209,7 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle);
#ifdef NBUF_MEMORY_DEBUG #ifdef NBUF_MEMORY_DEBUG
wmi_buf_t wmi_buf_t
wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name, wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name,
uint32_t line_num) uint32_t line_num)
{ {
wmi_buf_t wmi_buf; wmi_buf_t wmi_buf;
@@ -1245,7 +1245,7 @@ void wmi_buf_free(wmi_buf_t net_buf)
} }
qdf_export_symbol(wmi_buf_free); qdf_export_symbol(wmi_buf_free);
#else #else
wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len) wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
{ {
wmi_buf_t wmi_buf; wmi_buf_t wmi_buf;