diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2020-07-02 20:47:48 +0530 |
|---|---|---|
| committer | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2020-08-03 19:24:09 +0530 |
| commit | 6b752bcccfb9be7000ab1d7e22db492d2f159cfe (patch) | |
| tree | 23abac4d218ff1634d604e6adbbf7d17463f435f | |
| parent | 9e2c5e35519bcc866db387fa61a0519077d82cff (diff) | |
qcacmn: Fix possible OOB access while sending ext stats request
In 32-bit systems, currently there is possible oob access in
send_stats_ext_req_cmd_tlv() is preq->request_data_len is
uin32_t max and len is also of type uint32_t.
Fix possible OOB access while sending ext stats request message
to firmware by validating the requested data length against the
difference between wmi max message size(WMI_SVC_MSG_MAX_SIZE),
size of the wmi command fixed param and wmi tlv header size
WMI_TLV_HDR_SIZE.
Change-Id: I769c9a6b7c0e0f76e2ec1070cac6c69768816454
CRs-Fixed: 2724256
| -rw-r--r-- | wmi/src/wmi_unified_tlv.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 6ce7e3f2f2e9..988f55c7985f 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -9596,6 +9596,14 @@ QDF_STATUS send_stats_ext_req_cmd_tlv(wmi_unified_t wmi_handle, wmi_buf_t buf; size_t len; uint8_t *buf_ptr; + uint16_t max_wmi_msg_size = wmi_get_max_msg_len(wmi_handle); + + if (preq->request_data_len > (max_wmi_msg_size - WMI_TLV_HDR_SIZE - + sizeof(*cmd))) { + WMI_LOGE("%s: Data length=%d is greater than max wmi msg size", + __func__, preq->request_data_len); + return QDF_STATUS_E_FAILURE; + } len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len; |