diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2017-10-23 12:11:18 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-11-05 22:58:37 -0800 |
| commit | 161d2ff06eaaa5c4c4f5207098cc0f7328577809 (patch) | |
| tree | c55288e9671ed269a7ab69c71a8d73a8ebf24d16 | |
| parent | 9771e7baaef3aafcd0ae3e78e2b152fb2fa92df6 (diff) | |
qcacld-2.0: Fix Integer overflow in wma_tbttoffset_update_event_handler()
Currently, value of param_buf->num_tbttoffset_list is received
from FW is used to allocate the memory for local buffer to store
tbtt offset list If the value of param_buf->num_tbttoffset_list
is very large then during memory allocation input argument can be
overflowed.As a result of this integer overflow, a heap overwrite
can occur during memory copy.
Add sanity check to make sure param_buf->num_tbttoffset_list is
not exceed the maximum limit.
Change-Id: I23528830ddb0f43c777e6124919cc35fe9a523d5
CRs-Fixed: 2114336
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 4268a359035c..769dd93733f2 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -20923,6 +20923,16 @@ static int wma_tbttoffset_update_event_handler(void *handle, u_int8_t *event, } tbtt_offset_event = param_buf->fixed_param; + + if (param_buf->num_tbttoffset_list > + (UINT_MAX - sizeof(u_int32_t) - + sizeof(wmi_tbtt_offset_event_fixed_param))/ + sizeof(u_int32_t)) { + WMA_LOGE("%s: Received offset list %d greater than maximum limit", + __func__, param_buf->num_tbttoffset_list); + return -EINVAL; + } + buf = vos_mem_malloc(sizeof(wmi_tbtt_offset_event_fixed_param) + sizeof (u_int32_t) + (param_buf->num_tbttoffset_list * sizeof (u_int32_t))); |