samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add length check in ndp event handler

Browse Source 
qcacld-2.0 to qcacld-3.0 propagation

Add length check to prevent the data overflow the wmi buffer. The
length in the fixed_params and TLV hdr also need check.

Change-Id: I2bbf9f08b6c19062324dca420af08ff94835eaca
CRs-Fixed: 2248879
This commit is contained in:
gaolez
2020-06-16 15:34:01 +08:00
committed by nshrivas
parent 53ffdd36b9
commit f4c326f721
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
wmi/src/wmi_unified_nan_tlv.c
View File

@@ -744,6 +744,13 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
return QDF_STATUS_E_INVAL;
}
if (fixed_params->nan_scid_len > event->num_ndp_scid) {
WMI_LOGE("FW msg ndp scid info len %d more than TLV hdr %d",
fixed_params->nan_scid_len,
event->num_ndp_scid);
return QDF_STATUS_E_INVAL;
}
if (fixed_params->ndp_cfg_len >
(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",