qcacld-2.0: Add checks for security vulnerability

Add checks to extscan and ocb FW message handlers.

Change-Id: I1ff5b1f8722545de4cc4f10d23ff9b914ae3428c
CRs-Fixed: 2125950

2 files changed, 15 insertions, 2 deletions

diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 1df6fd2ebf12..9bdc275bac0f 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -4080,9 +4080,14 @@ static int wma_extscan_operations_event_handler(void *handle,
 		return -EINVAL;
 	}
 	event = param_buf->fixed_param;
+	if (event->num_buckets > param_buf->num_bucket_id) {
+		WMA_LOGE("FW mesg num_buk %d more than TLV hdr %d",
+			event->num_buckets,
+			param_buf->num_bucket_id);
+		return -EINVAL;
+	}
 	buf_len = sizeof(*buf);
 	buf = vos_mem_malloc(buf_len);
-
 	if (!buf) {
 		WMA_LOGE("%s: extscan memory allocation failed", __func__);
 		return -ENOMEM;
diff --git a/CORE/SERVICES/WMA/wma_ocb.c b/CORE/SERVICES/WMA/wma_ocb.c
index ef62c6b6368b..efd1447f237e 100644
--- a/CORE/SERVICES/WMA/wma_ocb.c
+++ b/CORE/SERVICES/WMA/wma_ocb.c
@@ -1022,8 +1022,16 @@ int wma_dcc_stats_event_handler(void *handle, uint8_t *event_buf,
 		VOS_ASSERT(0);
 		return -EINVAL;
 	}
+
+	if (fix_param->num_channels > param_tlvs->num_stats_per_channel_list) {
+		WMA_LOGE("FW message num_chan %d more than TLV hdr %d",
+			fix_param->num_channels,
+			param_tlvs->num_stats_per_channel_list);
+		return -EINVAL;
+	}
+
 	response = vos_mem_malloc(sizeof(*response) +
-	    fix_param->num_channels * sizeof(wmi_dcc_ndl_stats_per_channel));
+		fix_param->num_channels * sizeof(wmi_dcc_ndl_stats_per_channel));
 	if (response == NULL)
 		return -ENOMEM;
 	response->vdev_id = fix_param->vdev_id;