qcacld-2.0: Fix buffer overread in wma_extscan_hotlist_match_event_handler

In function wma_extscan_hotlist_match_event_handler, numap and src_hotlist
are received from the FW. src_hotlist is pointer to the hostist data
and is looped for numap times and copied to the local buffer dest_hotlist.
If the value of numap is not equal to the number of src_hotlist data
present in the buffer, buffer overread would occur during memcpy.
Add check to validate the len of the buffer received from the FW is not
less than the size of fixparam struct + (numap * src_hostlist structure)

Change-Id: I2dc596f91bc49ccf0327062aa6732cd072d52085
CRs-Fixed: 2148646

1 files changed, 8 insertions, 1 deletions

diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 118457a106a9..165c4cdafadc 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -4306,7 +4306,7 @@ static int wma_extscan_hotlist_match_event_handler(void *handle,
 	wmi_extscan_wlan_descriptor    *src_hotlist;
 	uint32_t numap;
 	int j, ap_found = 0;
-
+	uint32_t buf_len;
 	tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context(
 					VOS_MODULE_ID_PE, wma->vos_context);
 	if (!pMac) {
@@ -4336,6 +4336,13 @@ static int wma_extscan_hotlist_match_event_handler(void *handle,
 			  __func__, numap);
 		numap = WMA_EXTSCAN_MAX_HOTLIST_ENTRIES;
 	}
+	buf_len = sizeof(wmi_extscan_hotlist_match_event_fixed_param) +
+			(4 * sizeof(uint32_t)) +
+			(numap * sizeof(wmi_extscan_wlan_descriptor));
+	if (buf_len > len) {
+		WMA_LOGE("Invalid buf len from FW %d numap %d", len, numap);
+		return -EINVAL;
+	}
 	dest_hotlist = vos_mem_malloc(sizeof(*dest_hotlist) +
 					sizeof(*dest_ap) * numap);
 	if (!dest_hotlist) {