summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVignesh Viswanathan <viswanat@codeaurora.org>2017-09-28 15:26:56 +0530
committersnandini <snandini@codeaurora.org>2017-10-06 15:36:27 -0700
commit96b2f0e755aadc1df1c701c3ffe2ff6bc152fa96 (patch)
treec5850f8fbba9b6028bbf5cc13fda6f8f1705d62e
parent8295b5009af279e4c84bcb3d5ea9adff5d71b241 (diff)
qcacld-3.0: Fix potential buffer overwrite in wma_unified_link_iface_stats_event_handler
In function wma_unified_link_iface_stats_event_handler, num_ac is received from the firmware and is used in the loop to populate values into results. However the memory for results is allocated only for WIFI_AC_MAX and a buffer overflow will occur of num_ac is greater than WIFI_AC_MAX. Add checks to make sure num_ac is not greater than WIFI_AC_MAX and num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX. Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4 CRs-Fixed: 2114756
-rw-r--r--core/wma/src/wma_utils.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index 8e513ee88e33..7d4eff74e654 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -2123,6 +2123,17 @@ int wma_unified_link_iface_stats_event_handler(void *handle,
return -EINVAL;
}
+ if (link_stats->num_ac > WIFI_AC_MAX) {
+ WMA_LOGE("%s: Excess data received from firmware num_ac %d",
+ __func__, link_stats->num_ac);
+ return -EINVAL;
+ }
+ if (fixed_param->num_offload_stats > WMI_OFFLOAD_STATS_TYPE_MAX) {
+ WMA_LOGE("%s: Excess num offload stats recvd from fw: %d",
+ __func__, fixed_param->num_offload_stats);
+ return -EINVAL;
+ }
+
link_stats_size = sizeof(tSirWifiIfaceStat);
iface_info_size = sizeof(tSirWifiInterfaceInfo);