diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2017-10-17 17:26:50 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-10-29 13:06:25 -0700 |
| commit | 0bdaf42e76038c1531b48bf493677bb45f56f1e9 (patch) | |
| tree | d0c88f5cd683a4be0eb9fc23d6f0aca4f4aed216 | |
| parent | 49427b210be26badcd3b8c4938fd6c0112c0c92f (diff) | |
qcacld-2.0: Avoid integer overflow in wma_ndp_end_indication_event_handler
In function wma_ndp_end_indication_event_handler, num_ndp_end_indication_list
from the fw is used to calculate buf_size which is in turn used to malloc.
This could lead to potential integer overflow if num_ndp_end_indication_list
is a very high value.
Add check to validate num_ndp_end_indication_list does not exceed the max
message size from firmware.
Change-Id: Icbb763bfc14ec0ef8424cab50afa5c6826fd3c60
CRs-Fixed: 2128153
| -rw-r--r-- | CORE/SERVICES/WMA/wma_nan_datapath.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/CORE/SERVICES/WMA/wma_nan_datapath.c b/CORE/SERVICES/WMA/wma_nan_datapath.c index 78022203d7c2..4597a7c6e75d 100644 --- a/CORE/SERVICES/WMA/wma_nan_datapath.c +++ b/CORE/SERVICES/WMA/wma_nan_datapath.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -783,7 +783,12 @@ static int wma_ndp_end_indication_event_handler(void *handle, WMA_LOGD(FL("number of ndp instances = %d"), event->num_ndp_end_indication_list); - + if (event->num_ndp_end_indication_list > ((WMA_SVC_MSG_MAX_SIZE - + sizeof(*ndp_event_buf)) / sizeof(ndp_event_buf->ndp_map[0]))) { + WMA_LOGE("%s: excess data received from fw num_ndp_end_indication_list %d", + __func__, event->num_ndp_end_indication_list); + return -EINVAL; + } buf_size = sizeof(*ndp_event_buf) + event->num_ndp_end_indication_list * sizeof(ndp_event_buf->ndp_map[0]); ndp_event_buf = vos_mem_malloc(buf_size); |