diff options
| author | Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> | 2018-04-20 15:18:08 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-05-08 04:44:58 -0700 |
| commit | 8da7d0c13b7f244b20fbabd8df73b4c724f415c0 (patch) | |
| tree | 1b6f2e910f4760868634ca81056efef0fa205576 | |
| parent | cd1f1b81b4e6ae97ae07665121f9fb664a9dfa7d (diff) | |
qcacld-3.0: Possible buffer overflow in wma_stats_ext_event_handler
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
| -rw-r--r-- | core/wma/src/wma_utils.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index 32553342c66f..524f40494104 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -452,8 +452,8 @@ int wma_stats_ext_event_handler(void *handle, uint8_t *event_buf, alloc_len += stats_ext_info->data_len; if (stats_ext_info->data_len > (WMI_SVC_MSG_MAX_SIZE - - sizeof(*stats_ext_info)) || stats_ext_info->data_len > - param_buf->num_data) { + WMI_TLV_HDR_SIZE - sizeof(*stats_ext_info)) || + stats_ext_info->data_len > param_buf->num_data) { WMA_LOGE("Excess data_len:%d, num_data:%d", stats_ext_info->data_len, param_buf->num_data); return -EINVAL; |