summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVignesh Viswanathan <viswanat@codeaurora.org>2017-09-27 20:42:11 +0530
committersnandini <snandini@codeaurora.org>2017-10-06 14:44:37 -0700
commit7dbe3cb475be4737fbaf5f479ed7faeac0547f35 (patch)
tree62955939646c1a21620990f3a2b109ca7609d725
parent37c8b11e90a62db40c9ba1f20f247fe701303fda (diff)
qcacld-3.0: Avoid integer overflow in wma_rx_aggr_failure_event_handler
Add sanity check to ensure num_failure_info from FW does not cause integer overflow while calculating alloc_len, as alloc_len is in turn used to malloc which can lead to less than required memory allocated in case of integer overflow of alloc_len Change-Id: Iea93e879196e9cd43856a7dcc9204d2304f76c78 CRs-Fixed: 2114789
-rw-r--r--core/wma/src/wma_features.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c
index dc3f37af4d1d..fd7f8e1c8e7e 100644
--- a/core/wma/src/wma_features.c
+++ b/core/wma/src/wma_features.c
@@ -10944,6 +10944,14 @@ int wma_rx_aggr_failure_event_handler(void *handle, u_int8_t *event_buf,
rx_aggr_failure_info = param_buf->fixed_param;
hole_info = param_buf->failure_info;
+ if (rx_aggr_failure_info->num_failure_info > ((WMI_SVC_MSG_MAX_SIZE -
+ sizeof(*rx_aggr_hole_event)) /
+ sizeof(rx_aggr_hole_event->hole_info_array[0]))) {
+ WMA_LOGE("%s: Excess data from WMI num_failure_info %d",
+ __func__, rx_aggr_failure_info->num_failure_info);
+ return -EINVAL;
+ }
+
alloc_len = sizeof(*rx_aggr_hole_event) +
(rx_aggr_failure_info->num_failure_info)*
sizeof(rx_aggr_hole_event->hole_info_array[0]);