Merge "qcacld-2.0: Add length check in ndp event handler" into wlan-cld2.driver.lnx.1.0

1 files changed, 27 insertions, 0 deletions

diff --git a/CORE/SERVICES/WMA/wma_nan_datapath.c b/CORE/SERVICES/WMA/wma_nan_datapath.c
index 5680de022f4c..c9ea6a2c4f00 100644
--- a/CORE/SERVICES/WMA/wma_nan_datapath.c
+++ b/CORE/SERVICES/WMA/wma_nan_datapath.c
@@ -482,6 +482,7 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t  *event_info,
 	vos_msg_t pe_msg = {0};
 	struct ndp_indication_event *ind_event;
 	VOS_STATUS status;
+	size_t total_array_len = 0;
 
 	event = (WMI_NDP_INDICATION_EVENTID_param_tlvs *)event_info;
 	fixed_params =
@@ -499,6 +500,32 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t  *event_info,
 		return -EINVAL;
 	}
 
+	if (fixed_params->ndp_cfg_len >
+		(WMA_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) {
+		WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
+			 __func__, fixed_params->ndp_cfg_len);
+		return -EINVAL;
+	} else {
+		total_array_len = fixed_params->ndp_cfg_len +
+					sizeof(*fixed_params);
+	}
+
+	if (fixed_params->ndp_app_info_len >
+		(WMA_SVC_MSG_MAX_SIZE - total_array_len)) {
+		WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
+			 __func__, fixed_params->ndp_app_info_len);
+		return -EINVAL;
+	} else {
+		total_array_len += fixed_params->ndp_app_info_len;
+	}
+
+	if (fixed_params->nan_scid_len >
+		(WMA_SVC_MSG_MAX_SIZE - total_array_len)) {
+		WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d",
+			 __func__, fixed_params->nan_scid_len);
+		return -EINVAL;
+	}
+
 	ind_event = vos_mem_malloc(sizeof(*ind_event));
 	if (!ind_event) {
 		WMA_LOGP(FL("Failed to allocate memory"));