Эх сурвалжийг харах

qcacmn: Add length check in ndp event handler

qcacld-2.0 to qcacld-3.0 propagation

Add length check to prevent the data overflow the wmi buffer. The
length in the fixed_params and TLV hdr also need check.

Change-Id: I2bbf9f08b6c19062324dca420af08ff94835eaca
CRs-Fixed: 2248879
gaolez 5 жил өмнө
parent
commit
f4c326f721

+ 7 - 0
wmi/src/wmi_unified_nan_tlv.c

@@ -744,6 +744,13 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_INVAL;
 	}
 
+	if (fixed_params->nan_scid_len > event->num_ndp_scid) {
+		WMI_LOGE("FW msg ndp scid info len %d more than TLV hdr %d",
+			 fixed_params->nan_scid_len,
+			 event->num_ndp_scid);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	if (fixed_params->ndp_cfg_len >
 		(WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
 		WMI_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",