Merge "qcacld-2.0: Add sanity check for WMI event length" into wlan-cld2.driver.lnx.1.0

author: CNSS_WLAN Service <cnssbldsw@qualcomm.com> 2018-05-02 02:08:39 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-05-02 02:08:39 -0700
commit: a5bcf0d85af805d463e74daab2c5461cb896d610 (patch)
tree: c2b4c19e89039a1e6e0ff52a0c12026ae50bb120
parent: fd110f21319c002b13ef19070bb2f1c798892957 (diff)
parent: f0457d293bc64c50691ad84ff9543e3ed66c7279 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index ccbb1bedbc4d..c94d900b88e0 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -5380,7 +5380,8 @@ static int wma_unified_link_radio_stats_event_handler(void *handle,
 	chan_stats_size  = sizeof(tSirWifiChannelStats);
 
 	if (fixed_param->num_radio >
-	    (UINT_MAX - sizeof(*link_stats_results)) / radio_stats_size) {
+	    (WMA_SVC_MSG_MAX_SIZE -
+	     sizeof(*link_stats_results)) / radio_stats_size) {
 		WMA_LOGE("excess num_radio %d is leading to int overflow",
 			 fixed_param->num_radio);
 		return -EINVAL;
@@ -21281,7 +21282,7 @@ static int wma_tbttoffset_update_event_handler(void *handle, u_int8_t *event,
 	tbtt_offset_event = param_buf->fixed_param;
 
 	if (param_buf->num_tbttoffset_list >
-			(UINT_MAX - sizeof(u_int32_t) -
+			(WMA_SVC_MSG_MAX_SIZE - sizeof(u_int32_t) -
 				sizeof(wmi_tbtt_offset_event_fixed_param))/
 			 sizeof(u_int32_t)) {
 		WMA_LOGE("%s: Received offset list  %d greater than maximum limit",
author	CNSS_WLAN Service <cnssbldsw@qualcomm.com>	2018-05-02 02:08:39 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-05-02 02:08:39 -0700
commit	a5bcf0d85af805d463e74daab2c5461cb896d610 (patch)
tree	c2b4c19e89039a1e6e0ff52a0c12026ae50bb120
parent	fd110f21319c002b13ef19070bb2f1c798892957 (diff)
parent	f0457d293bc64c50691ad84ff9543e3ed66c7279 (diff)