diff options
| author | abhinav kumar <abhikuma@codeaurora.org> | 2021-06-04 19:45:08 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2021-06-30 22:56:20 -0700 |
| commit | 686def1e072d577c573182e43e50391ed1830cb5 (patch) | |
| tree | 6b706e0743b31089c99de4ef5d1a3c6d1c4e1190 | |
| parent | c2e2adf298499edea91a72c0912a3285ac07c4cc (diff) | |
qcacld-3.0: Possible buffer overflow issue in wma
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
| -rw-r--r-- | core/wma/src/wma_mgmt.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index 1af38e0ae056..19941f0bd767 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2329,8 +2329,22 @@ static QDF_STATUS wma_unified_bcn_tmpl_send(tp_wma_handle wma, tmpl_len = *(uint32_t *) &bcn_info->beacon[0]; else tmpl_len = bcn_info->beaconLength; - if (p2p_ie_len) + + if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) { + WMA_LOGE("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len, + WMI_BEACON_TX_BUFFER_SIZE); + return -EINVAL; + } + + if (p2p_ie_len) { + if (tmpl_len <= p2p_ie_len) { + WMA_LOGE("tmpl_len %d <= p2p_ie_len %d, Invalid", + tmpl_len, p2p_ie_len); + return -EINVAL; + } tmpl_len -= (uint32_t) p2p_ie_len; + } + frm = bcn_info->beacon + bytes_to_strip; tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32)); /* |