diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-09-28 15:26:56 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-10-06 15:36:27 -0700 |
| commit | 96b2f0e755aadc1df1c701c3ffe2ff6bc152fa96 (patch) | |
| tree | c5850f8fbba9b6028bbf5cc13fda6f8f1705d62e | |
| parent | 8295b5009af279e4c84bcb3d5ea9adff5d71b241 (diff) | |
qcacld-3.0: Fix potential buffer overwrite in wma_unified_link_iface_stats_event_handler
In function wma_unified_link_iface_stats_event_handler, num_ac is received
from the firmware and is used in the loop to populate values into results.
However the memory for results is allocated only for WIFI_AC_MAX and a
buffer overflow will occur of num_ac is greater than WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than WIFI_AC_MAX and
num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2114756
| -rw-r--r-- | core/wma/src/wma_utils.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index 8e513ee88e33..7d4eff74e654 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -2123,6 +2123,17 @@ int wma_unified_link_iface_stats_event_handler(void *handle, return -EINVAL; } + if (link_stats->num_ac > WIFI_AC_MAX) { + WMA_LOGE("%s: Excess data received from firmware num_ac %d", + __func__, link_stats->num_ac); + return -EINVAL; + } + if (fixed_param->num_offload_stats > WMI_OFFLOAD_STATS_TYPE_MAX) { + WMA_LOGE("%s: Excess num offload stats recvd from fw: %d", + __func__, fixed_param->num_offload_stats); + return -EINVAL; + } + link_stats_size = sizeof(tSirWifiIfaceStat); iface_info_size = sizeof(tSirWifiInterfaceInfo); |
