diff options
| author | Varun Reddy Yeturu <varunreddy.yeturu@codeaurora.org> | 2017-09-26 15:28:42 -0700 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-09-29 11:43:22 -0700 |
| commit | b423a9098267dd58b03abd6dfc4025ca02009e87 (patch) | |
| tree | 273364f22977cd26596263a06024bce976e53c28 | |
| parent | d210942010d4ad8fbcac7d8711b9cd407e359955 (diff) | |
qcacld-3.0: Avoid possible buffer overwrite in wma_process_utf_event
Check for the maximum allowed data that can be written into
the buffer utf_event_info.data in the function
wma_process_utf_event.
Change-Id: I9ee37470b7a3e7016941f871d3cf73eb12718758
CRs-Fixed: 2115375
| -rw-r--r-- | core/wma/src/wma_utils.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index dbc05fe97430..d296bcda186f 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -4044,6 +4044,13 @@ wma_process_utf_event(WMA_HANDLE handle, uint8_t *datap, uint32_t dataplen) currentSeq); } + if ((datalen > MAX_UTF_EVENT_LENGTH) || + (wma_handle->utf_event_info.offset > + (MAX_UTF_EVENT_LENGTH - datalen))) { + WMA_LOGE("Excess data from firmware, offset:%zu, len:%d", + wma_handle->utf_event_info.offset, datalen); + return -EINVAL; + } memcpy(&wma_handle->utf_event_info. data[wma_handle->utf_event_info.offset], &data[sizeof(segHdrInfo)], datalen); |
