diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-09-27 20:42:11 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-10-06 14:44:37 -0700 |
| commit | 7dbe3cb475be4737fbaf5f479ed7faeac0547f35 (patch) | |
| tree | 62955939646c1a21620990f3a2b109ca7609d725 | |
| parent | 37c8b11e90a62db40c9ba1f20f247fe701303fda (diff) | |
qcacld-3.0: Avoid integer overflow in wma_rx_aggr_failure_event_handler
Add sanity check to ensure num_failure_info from FW does not cause
integer overflow while calculating alloc_len, as alloc_len is in
turn used to malloc which can lead to less than required memory
allocated in case of integer overflow of alloc_len
Change-Id: Iea93e879196e9cd43856a7dcc9204d2304f76c78
CRs-Fixed: 2114789
| -rw-r--r-- | core/wma/src/wma_features.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index dc3f37af4d1d..fd7f8e1c8e7e 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -10944,6 +10944,14 @@ int wma_rx_aggr_failure_event_handler(void *handle, u_int8_t *event_buf, rx_aggr_failure_info = param_buf->fixed_param; hole_info = param_buf->failure_info; + if (rx_aggr_failure_info->num_failure_info > ((WMI_SVC_MSG_MAX_SIZE - + sizeof(*rx_aggr_hole_event)) / + sizeof(rx_aggr_hole_event->hole_info_array[0]))) { + WMA_LOGE("%s: Excess data from WMI num_failure_info %d", + __func__, rx_aggr_failure_info->num_failure_info); + return -EINVAL; + } + alloc_len = sizeof(*rx_aggr_hole_event) + (rx_aggr_failure_info->num_failure_info)* sizeof(rx_aggr_hole_event->hole_info_array[0]); |
