qcacld-2.0: Check for buffer overflow for diag messages

Check for buffer overflow from diag messages.

Change-Id: I9618a7b581739602efeacefe1844fd4243b55d53
CRs-Fixed: 2125961

1 files changed, 7 insertions, 3 deletions

diff --git a/CORE/UTILS/FWLOG/dbglog_host.c b/CORE/UTILS/FWLOG/dbglog_host.c
index fe906b46274f..7a7be6ddade9 100644
--- a/CORE/UTILS/FWLOG/dbglog_host.c
+++ b/CORE/UTILS/FWLOG/dbglog_host.c
@@ -2300,19 +2300,22 @@ diag_fw_handler(ol_scn_t scn, u_int8_t *data, u_int32_t datalen)
 static int
 process_fw_diag_event_data(uint8_t *datap, uint32_t num_data)
 {
-	uint32_t i;
 	uint32_t diag_type;
 	uint32_t nl_data_len; /* diag hdr + payload */
 	uint32_t diag_data_len; /* each fw diag payload */
 	struct wlan_diag_data *diag_data;
 
-	for (i = 0; i < num_data; i++) {
+	while (num_data > 0) {
 		diag_data = (struct wlan_diag_data *)datap;
 		diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0);
 		diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0);
 		/* Length of diag struct and len of payload */
 		nl_data_len = sizeof(struct wlan_diag_data) + diag_data_len;
-
+		if (nl_data_len > num_data) {
+			AR_DEBUG_PRINTF(ATH_DEBUG_INFO,
+					("processed all the messages\n"));
+			return 0;
+		}
 		switch (diag_type) {
 		case DIAG_TYPE_FW_EVENT:
 			return send_fw_diag_nl_data(datap, nl_data_len,
@@ -2325,6 +2328,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data)
 		}
 		/* Move to the next event and send to cnss-diag */
 		datap += nl_data_len;
+		num_data -= nl_data_len;
 	}
 
 	return 0;