diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-09-21 13:08:56 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-10-10 04:56:21 -0700 |
| commit | 176b038f281e39ccc9c5dc4c3f899d89e254328f (patch) | |
| tree | 40802b6fdd18efe32977666329da812fa9b2f5ad | |
| parent | f10e1fbc5c9d5f5f007b8d4f8526440c7496f7db (diff) | |
qcacld-2.0: Add sanity check to avoid overflow in WMI event data
In WMA, data from firmware event buffer is used without
sanity checks for upper limit. This might lead to a potential
integer overflow further leading to buffer corruption.
Add sanity check to avoid integer overflow.
Change-Id: Id47e12015a4d46af24180b621b52ffcb17596c07
CRs-Fixed: 2113919
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 0f825c7700f1..a2356f5ecdcf 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -6350,6 +6350,14 @@ static int wma_unified_power_debug_stats_event_handler(void *handle, return -EINVAL; } + if (param_buf->num_debug_register > ((WMA_SVC_MSG_MAX_SIZE - + sizeof(wmi_pdev_chip_power_stats_event_fixed_param)) / + sizeof(uint32_t))) { + WMA_LOGE("excess payload: LEN num_debug_register:%u", + param_buf->num_debug_register); + return -EINVAL; + } + debug_registers = param_tlvs->debug_registers; stats_registers_len = (sizeof(uint32_t) * param_buf->num_debug_register); |