summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVarun Reddy Yeturu <varunreddy.yeturu@codeaurora.org>2017-09-26 15:28:42 -0700
committersnandini <snandini@codeaurora.org>2017-09-29 11:43:22 -0700
commitb423a9098267dd58b03abd6dfc4025ca02009e87 (patch)
tree273364f22977cd26596263a06024bce976e53c28
parentd210942010d4ad8fbcac7d8711b9cd407e359955 (diff)
qcacld-3.0: Avoid possible buffer overwrite in wma_process_utf_event
Check for the maximum allowed data that can be written into the buffer utf_event_info.data in the function wma_process_utf_event. Change-Id: I9ee37470b7a3e7016941f871d3cf73eb12718758 CRs-Fixed: 2115375
-rw-r--r--core/wma/src/wma_utils.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index dbc05fe97430..d296bcda186f 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -4044,6 +4044,13 @@ wma_process_utf_event(WMA_HANDLE handle, uint8_t *datap, uint32_t dataplen)
currentSeq);
}
+ if ((datalen > MAX_UTF_EVENT_LENGTH) ||
+ (wma_handle->utf_event_info.offset >
+ (MAX_UTF_EVENT_LENGTH - datalen))) {
+ WMA_LOGE("Excess data from firmware, offset:%zu, len:%d",
+ wma_handle->utf_event_info.offset, datalen);
+ return -EINVAL;
+ }
memcpy(&wma_handle->utf_event_info.
data[wma_handle->utf_event_info.offset],
&data[sizeof(segHdrInfo)], datalen);