diff options
| author | Himanshu Agarwal <himanaga@codeaurora.org> | 2017-10-04 17:41:41 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-10-06 14:44:31 -0700 |
| commit | 926d758bbbfafd5466a6969bcc51b2190bda3307 (patch) | |
| tree | 4d532146bd1e74382f3e0082b65ae0b72b861f5f | |
| parent | 1bab281747ee945deddaeebb327b25b76e40f704 (diff) | |
qcacld-3.0: Add sanity check for buf pkt len to prevent OOB access
Add sanity check for wow_buf_pkt_len in wma_wow_wakeup_host_event()
to avoid out of bound memory access.
Change-Id: Id3b0003aa366d9239739efe561f44eff1dceff5d
CRs-Fixed: 2119401
| -rw-r--r-- | core/wma/src/wma_features.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index 6a40ba41e9f5..dc3f37af4d1d 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -4675,6 +4675,12 @@ int wma_wow_wakeup_host_event(void *handle, uint8_t *event, * Following the length is the actual buffer. */ wow_buf_pkt_len = *(uint32_t *)param_buf->wow_packet_buffer; + if (wow_buf_pkt_len != + param_buf->num_wow_packet_buffer - 4) { + WMA_LOGE("Invalid wow buf pkt len from firmware"); + return -EINVAL; + } + tlv_hdr = WMITLV_GET_HDR( (uint8_t *)param_buf->wow_packet_buffer + 4); |
