diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2018-01-23 12:03:10 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-01-23 03:04:46 -0800 |
| commit | 463b0aea7e01d77303198ca6aa0fe2526f1e2d2d (patch) | |
| tree | 4915caf4b5ad5df0abd5e807f76219ce8885f2c0 | |
| parent | d2743c27dfddaeb21b80ad3b19734d9f4e4c7691 (diff) | |
qcacld-3.0: Add sanity check for WMA NDP event handlers
In wma_ndp_confirm_event_handler & wma_ndp_indication_event_handler,
ndp_cfg len & num_ndp_app_info is from fw. If they are greater than
the actual length of buffer sent in FW, OOB access and info leak
would occur.
Add sanity checks for ndp_cfg_len and num_npd_app_info with the
actual length of the buffer from TLV header in functions
wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler
to prevent OOB access.
Change-Id: I9ecf55a3606036d3e1f0916c948c4360475965fa
CRs-Fixed: 2175439
| -rw-r--r-- | core/wma/src/wma_nan_datapath.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/core/wma/src/wma_nan_datapath.c b/core/wma/src/wma_nan_datapath.c index d79bd97fdd3e..8a05a7e9071e 100644 --- a/core/wma/src/wma_nan_datapath.c +++ b/core/wma/src/wma_nan_datapath.c @@ -469,6 +469,19 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t *event_info, fixed_params = (wmi_ndp_indication_event_fixed_param *)event->fixed_param; + if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) { + WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d", + fixed_params->ndp_cfg_len, event->num_ndp_cfg); + return -EINVAL; + } + + if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) { + WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d", + fixed_params->ndp_app_info_len, + event->num_ndp_app_info); + return -EINVAL; + } + ind_event.vdev_id = fixed_params->vdev_id; ind_event.service_instance_id = fixed_params->service_instance_id; ind_event.ndp_instance_id = fixed_params->ndp_instance_id; @@ -625,10 +638,23 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info, fixed_params->reason_code, fixed_params->num_active_ndps_on_peer); + if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) { + WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d", + fixed_params->ndp_cfg_len, event->num_ndp_cfg); + return -EINVAL; + } + WMA_LOGE(FL("ndp_cfg - %d bytes"), fixed_params->ndp_cfg_len); QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG, &event->ndp_cfg, fixed_params->ndp_cfg_len); + if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) { + WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d", + fixed_params->ndp_app_info_len, + event->num_ndp_app_info); + return -EINVAL; + } + WMA_LOGE(FL("ndp_app_info - %d bytes"), fixed_params->ndp_app_info_len); QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG, &event->ndp_app_info, fixed_params->ndp_app_info_len); |
