diff options
| author | gaurank kathpalia <gkathpal@codeaurora.org> | 2017-11-29 11:18:21 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-11-30 05:29:16 -0800 |
| commit | c79a84217d33944ffe8c5f091e41f3742e3e07c8 (patch) | |
| tree | 39ec575b86f4d322af6757785b7141ff1eab479a | |
| parent | 5aa2071f9d4d0f0190c51f2ff10a3df2bc88e75b (diff) | |
qcacld-2.0: Avoid integer overflow in wma_peer_info_event_handler
Check for the num_peers received from firmware and ensure an
integer overflow does not happen in wma_peer_info_event_handler.
Change-Id: I524cc6bd5b75dd6326562b3a4513048d36677487
CRs-Fixed: 2132257
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index d45d8070801f..1d30881028f7 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -3470,6 +3470,13 @@ static int wma_peer_info_event_handler(void *handle, u_int8_t *cmd_param_info, WMA_LOGI("%s Recv WMI_PEER_STATS_INFO_EVENTID", __func__); event = param_buf->fixed_param; + if (event->num_peers > + ((WMA_SVC_MSG_MAX_SIZE - + sizeof(wmi_peer_stats_info_event_fixed_param))/ + sizeof(wmi_peer_stats_info))) { + WMA_LOGE("Excess num of peers from fw %d", event->num_peers); + return -EINVAL; + } buf_size = sizeof(wmi_peer_stats_info_event_fixed_param) + sizeof(wmi_peer_stats_info) * event->num_peers; buf = vos_mem_malloc(buf_size); |