diff options
| author | Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org> | 2019-05-08 18:45:44 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-05-14 23:35:06 -0700 |
| commit | 1083615c2ba0f9f973cc778082f842775e55e19b (patch) | |
| tree | e98b489b2529210d79a958a798b82d39afea3d3c | |
| parent | 21a2827a62cebcc49e4a606bfadce3c6110a514f (diff) | |
qcacmn: Fix possible NULL dereference in apf read
While processing WMI_BPF_GET_VDEV_WORK_MEMORY_RESP_EVENTID,
in wma_apf_read_work_memory_event_handler() apf read callback is
invoked after wmi_extract_apf_read_memory_resp_event_tlv().
During extraction of apf attributes there is no NULL check of data
tlv when data length is non-zero. If the firmware message is wrongly
crafted with non-zero length in fixed param and NULL data then NULL
pointer dereference is seen in apf read callback.
To address this, avoid copy when data is NULL and data length is
non-zero.
Change-Id: Ie054c487ead5c929e5a293651a65383d6f87dc71
CRs-Fixed: 2446019
| -rw-r--r-- | wmi/src/wmi_unified_apf_tlv.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/wmi/src/wmi_unified_apf_tlv.c b/wmi/src/wmi_unified_apf_tlv.c index 91ddd7022402..ab9613c4b430 100644 --- a/wmi/src/wmi_unified_apf_tlv.c +++ b/wmi/src/wmi_unified_apf_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -211,10 +211,11 @@ extract_apf_read_memory_resp_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, param_buf->num_data); return QDF_STATUS_E_INVAL; } - resp->length = data_event->length; - if (resp->length) + if (data_event->length && param_buf->data) { + resp->length = data_event->length; resp->data = (uint8_t *)param_buf->data; + } return QDF_STATUS_SUCCESS; } |