summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCNSS_WLAN Service <cnssbldsw@qualcomm.com>2017-09-29 15:53:40 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2017-09-29 15:53:40 -0700
commit04650c889dc58f11ef95048690fb0d798377e66c (patch)
tree00c139e5c9cd69b5fe5c79cb4fde2c7cef941d04
parent063a54b19ad4ca7f2b2ff8c598933f506668f8d5 (diff)
parentbc5d3afd4cbab2c98d3366b90cbd0b3b56d01a70 (diff)
Merge "qcacld-3.0: Avoid integer overflow in wma_peer_info_event_handler" into wlan-cld3.driver.lnx.1.1
-rw-r--r--core/wma/src/wma_utils.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index d296bcda186f..4ee66cf728c8 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -3259,6 +3259,13 @@ int wma_peer_info_event_handler(void *handle, u_int8_t *cmd_param_info,
WMA_LOGI("%s Recv WMI_PEER_STATS_INFO_EVENTID", __func__);
event = param_buf->fixed_param;
+ if (event->num_peers >
+ ((WMI_SVC_MSG_MAX_SIZE -
+ sizeof(wmi_peer_stats_info_event_fixed_param))/
+ sizeof(wmi_peer_stats_info))) {
+ WMA_LOGE("Excess num of peers from fw %d", event->num_peers);
+ return -EINVAL;
+ }
buf_size = sizeof(wmi_peer_stats_info_event_fixed_param) +
sizeof(wmi_peer_stats_info) * event->num_peers;
buf = qdf_mem_malloc(buf_size);