diff options
| author | CNSS_WLAN Service <cnssbldsw@qualcomm.com> | 2017-09-29 15:53:40 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-09-29 15:53:40 -0700 |
| commit | 04650c889dc58f11ef95048690fb0d798377e66c (patch) | |
| tree | 00c139e5c9cd69b5fe5c79cb4fde2c7cef941d04 | |
| parent | 063a54b19ad4ca7f2b2ff8c598933f506668f8d5 (diff) | |
| parent | bc5d3afd4cbab2c98d3366b90cbd0b3b56d01a70 (diff) | |
Merge "qcacld-3.0: Avoid integer overflow in wma_peer_info_event_handler" into wlan-cld3.driver.lnx.1.1
| -rw-r--r-- | core/wma/src/wma_utils.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index d296bcda186f..4ee66cf728c8 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -3259,6 +3259,13 @@ int wma_peer_info_event_handler(void *handle, u_int8_t *cmd_param_info, WMA_LOGI("%s Recv WMI_PEER_STATS_INFO_EVENTID", __func__); event = param_buf->fixed_param; + if (event->num_peers > + ((WMI_SVC_MSG_MAX_SIZE - + sizeof(wmi_peer_stats_info_event_fixed_param))/ + sizeof(wmi_peer_stats_info))) { + WMA_LOGE("Excess num of peers from fw %d", event->num_peers); + return -EINVAL; + } buf_size = sizeof(wmi_peer_stats_info_event_fixed_param) + sizeof(wmi_peer_stats_info) * event->num_peers; buf = qdf_mem_malloc(buf_size); |
