summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVignesh Viswanathan <viswanat@codeaurora.org>2018-01-23 12:03:10 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>2018-01-23 03:04:46 -0800
commit463b0aea7e01d77303198ca6aa0fe2526f1e2d2d (patch)
tree4915caf4b5ad5df0abd5e807f76219ce8885f2c0
parentd2743c27dfddaeb21b80ad3b19734d9f4e4c7691 (diff)
qcacld-3.0: Add sanity check for WMA NDP event handlers
In wma_ndp_confirm_event_handler & wma_ndp_indication_event_handler, ndp_cfg len & num_ndp_app_info is from fw. If they are greater than the actual length of buffer sent in FW, OOB access and info leak would occur. Add sanity checks for ndp_cfg_len and num_npd_app_info with the actual length of the buffer from TLV header in functions wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler to prevent OOB access. Change-Id: I9ecf55a3606036d3e1f0916c948c4360475965fa CRs-Fixed: 2175439
-rw-r--r--core/wma/src/wma_nan_datapath.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/core/wma/src/wma_nan_datapath.c b/core/wma/src/wma_nan_datapath.c
index d79bd97fdd3e..8a05a7e9071e 100644
--- a/core/wma/src/wma_nan_datapath.c
+++ b/core/wma/src/wma_nan_datapath.c
@@ -469,6 +469,19 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t *event_info,
fixed_params =
(wmi_ndp_indication_event_fixed_param *)event->fixed_param;
+ if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) {
+ WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d",
+ fixed_params->ndp_cfg_len, event->num_ndp_cfg);
+ return -EINVAL;
+ }
+
+ if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) {
+ WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d",
+ fixed_params->ndp_app_info_len,
+ event->num_ndp_app_info);
+ return -EINVAL;
+ }
+
ind_event.vdev_id = fixed_params->vdev_id;
ind_event.service_instance_id = fixed_params->service_instance_id;
ind_event.ndp_instance_id = fixed_params->ndp_instance_id;
@@ -625,10 +638,23 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info,
fixed_params->reason_code,
fixed_params->num_active_ndps_on_peer);
+ if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) {
+ WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d",
+ fixed_params->ndp_cfg_len, event->num_ndp_cfg);
+ return -EINVAL;
+ }
+
WMA_LOGE(FL("ndp_cfg - %d bytes"), fixed_params->ndp_cfg_len);
QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
&event->ndp_cfg, fixed_params->ndp_cfg_len);
+ if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) {
+ WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d",
+ fixed_params->ndp_app_info_len,
+ event->num_ndp_app_info);
+ return -EINVAL;
+ }
+
WMA_LOGE(FL("ndp_app_info - %d bytes"), fixed_params->ndp_app_info_len);
QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
&event->ndp_app_info, fixed_params->ndp_app_info_len);