diff options
| author | Bapiraju Alla <quic_balla@quicinc.com> | 2021-11-11 13:05:48 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2021-12-09 04:40:13 -0800 |
| commit | ab63644b28389f4fc5bfb8fe61e37f455f712964 (patch) | |
| tree | 9d5566477d6247533e438aaafa81823b0c8ba457 | |
| parent | 2ada1fef12f147a9ac15d0b4c7a71be9fd0477b1 (diff) | |
qcacld-3.0: Validate NDP app info length before accessing NDP app info
Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info
Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 3073345
| -rw-r--r-- | core/hdd/src/wlan_hdd_nan_datapath.h | 2 | ||||
| -rw-r--r-- | core/wma/inc/wma.h | 2 | ||||
| -rw-r--r-- | core/wma/src/wma_nan_datapath.c | 6 |
3 files changed, 9 insertions, 1 deletions
diff --git a/core/hdd/src/wlan_hdd_nan_datapath.h b/core/hdd/src/wlan_hdd_nan_datapath.h index 72516e3f80e2..5b1353cf856b 100644 --- a/core/hdd/src/wlan_hdd_nan_datapath.h +++ b/core/hdd/src/wlan_hdd_nan_datapath.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -35,7 +36,6 @@ struct wireless_dev; #define NAN_SOCIAL_CHANNEL_5GHZ_LOWER_BAND 44 #define NAN_SOCIAL_CHANNEL_5GHZ_UPPER_BAND 149 -#define NDP_APP_INFO_LEN 255 #define NDP_PMK_LEN 32 #define NDP_SCID_BUF_LEN 256 #define NDP_NUM_INSTANCE_ID 255 diff --git a/core/wma/inc/wma.h b/core/wma/inc/wma.h index 5728194c58d6..79f812017119 100644 --- a/core/wma/inc/wma.h +++ b/core/wma/inc/wma.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -55,6 +56,7 @@ #define WMA_RESUME_TIMEOUT 6000 #define MAX_MEM_CHUNKS 32 #define NAN_CLUSTER_ID_BYTES 4 +#define NDP_APP_INFO_LEN 255 #define WMA_CRASH_INJECT_TIMEOUT 5000 diff --git a/core/wma/src/wma_nan_datapath.c b/core/wma/src/wma_nan_datapath.c index dff36acb30ee..6702ef10c3c8 100644 --- a/core/wma/src/wma_nan_datapath.c +++ b/core/wma/src/wma_nan_datapath.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -720,6 +721,11 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info, WMA_LOGE(FL("malloc failed")); return QDF_STATUS_E_NOMEM; } + + if (ndp_confirm.ndp_info.ndp_app_info_len > NDP_APP_INFO_LEN) + ndp_confirm.ndp_info.ndp_app_info_len = + NDP_APP_INFO_LEN; + qdf_mem_copy(&ndp_confirm.ndp_info.ndp_app_info, event->ndp_app_info, ndp_confirm.ndp_info.ndp_app_info_len); |