summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHimanshu Agarwal <himanaga@codeaurora.org>2017-10-04 17:41:41 +0530
committersnandini <snandini@codeaurora.org>2017-10-06 14:44:31 -0700
commit926d758bbbfafd5466a6969bcc51b2190bda3307 (patch)
tree4d532146bd1e74382f3e0082b65ae0b72b861f5f
parent1bab281747ee945deddaeebb327b25b76e40f704 (diff)
qcacld-3.0: Add sanity check for buf pkt len to prevent OOB access
Add sanity check for wow_buf_pkt_len in wma_wow_wakeup_host_event() to avoid out of bound memory access. Change-Id: Id3b0003aa366d9239739efe561f44eff1dceff5d CRs-Fixed: 2119401
-rw-r--r--core/wma/src/wma_features.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c
index 6a40ba41e9f5..dc3f37af4d1d 100644
--- a/core/wma/src/wma_features.c
+++ b/core/wma/src/wma_features.c
@@ -4675,6 +4675,12 @@ int wma_wow_wakeup_host_event(void *handle, uint8_t *event,
* Following the length is the actual buffer.
*/
wow_buf_pkt_len = *(uint32_t *)param_buf->wow_packet_buffer;
+ if (wow_buf_pkt_len !=
+ param_buf->num_wow_packet_buffer - 4) {
+ WMA_LOGE("Invalid wow buf pkt len from firmware");
+ return -EINVAL;
+ }
+
tlv_hdr = WMITLV_GET_HDR(
(uint8_t *)param_buf->wow_packet_buffer + 4);