diff options
| author | Amar Singhal <asinghal@codeaurora.org> | 2017-10-03 10:08:38 -0700 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-10-11 13:10:11 -0700 |
| commit | c486ffa52eba4c0a942e2fd5a374cca119b08b01 (patch) | |
| tree | d20a4380c5b865ca83ebc4472cdac7852dc00fbd | |
| parent | ce8f01f951ad7a9b3b6597e8e6011073fe0019c3 (diff) | |
qcacld-3.0: Add size checks in diag_fw_handler
Correct the invalid type conversions in diag_fw_handler.
Change-Id: I9dfaf3830b6686a824356f790b1dc51e76b4944a
CRs-Fixed: 2118950
| -rw-r--r-- | core/utils/fwlog/dbglog_host.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/core/utils/fwlog/dbglog_host.c b/core/utils/fwlog/dbglog_host.c index ad26d93d5a39..59dd6ff7d931 100644 --- a/core/utils/fwlog/dbglog_host.c +++ b/core/utils/fwlog/dbglog_host.c @@ -1844,7 +1844,7 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen) { tp_wma_handle wma = (tp_wma_handle) scn; - wmitlv_cmd_param_info *param_buf; + WMI_DIAG_EVENTID_param_tlvs *param_buf; uint8_t *datap; uint32_t len = 0; uint32_t *buffer; @@ -1859,22 +1859,37 @@ static int diag_fw_handler(ol_scn_t scn, uint8_t *data, uint32_t datalen) len = datalen; wma->is_fw_assert = 0; } else { - param_buf = (wmitlv_cmd_param_info *) data; + param_buf = (WMI_DIAG_EVENTID_param_tlvs *) data; if (!param_buf) { AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("Get NULL point message from FW\n")); return A_ERROR; } - param_buf = (wmitlv_cmd_param_info *) data; - datap = param_buf->tlv_ptr; - len = param_buf->num_elements; + datap = param_buf->bufp; + len = param_buf->num_bufp; + if (!get_version) { + if (len < 2*(sizeof(uint32_t))) { + AR_DEBUG_PRINTF(ATH_DEBUG_ERR, + ("len is less than expected\n")); + return A_ERROR; + } buffer = (uint32_t *) datap; buffer++; /* skip offset */ if (WLAN_DIAG_TYPE_CONFIG == DIAG_GET_TYPE(*buffer)) { + if (len < 3*(sizeof(uint32_t))) { + AR_DEBUG_PRINTF(ATH_DEBUG_ERR, + ("len is less than expected\n")); + return A_ERROR; + } buffer++; /* skip */ if (DIAG_VERSION_INFO == DIAG_GET_ID(*buffer)) { + if (len < 4*(sizeof(uint32_t))) { + AR_DEBUG_PRINTF(ATH_DEBUG_ERR, + ("len is less than expected\n")); + return A_ERROR; + } buffer++; /* skip */ /* get payload */ get_version = *buffer; |