qcacld-3.0: Fix buffer overflow in fill_ieee80211_hdr_data

Currently variable pl_msdu_info->num_msdu is from message, and is used directly as array size. This may cause buffer overflow. To address this issue add qdf_assert check. Change-Id: I44e0717c0073f6de20ee91c54f587edcaacd10a4 CRs-Fixed: 2148637
author: Alok Kumar <alokkuma@codeaurora.org> 2018-01-09 12:10:15 +0530
committer: snandini <snandini@codeaurora.org> 2018-01-24 07:19:17 -0800
commit: d56524a3b7973373fb63f667a149aff748e4a217 (patch)
tree: 1dded250b5c3d8692d559450aee6ec5105c6ed3a
parent: 6ee38fbb23ec7f34aaa63ad19f28546e3c76ceb1 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/core/utils/pktlog/pktlog_internal.c b/core/utils/pktlog/pktlog_internal.c
index aae7d71c0049..c693a1d66521 100644
--- a/core/utils/pktlog/pktlog_internal.c
+++ b/core/utils/pktlog/pktlog_internal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -276,6 +276,13 @@ fill_ieee80211_hdr_data(struct ol_txrx_pdev_t *txrx_pdev,
 	pl_msdu_info->priv_size = sizeof(uint32_t) *
 				 pl_msdu_info->num_msdu + sizeof(uint32_t);
 
+	if (pl_msdu_info->num_msdu > MAX_PKT_INFO_MSDU_ID) {
+		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
+			  "%s: Invalid num_msdu count",
+			  __func__);
+		qdf_assert(0);
+		return;
+	}
 	for (i = 0; i < pl_msdu_info->num_msdu; i++) {
 		/*
 		 * Handle big endianness
author	Alok Kumar <alokkuma@codeaurora.org>	2018-01-09 12:10:15 +0530
committer	snandini <snandini@codeaurora.org>	2018-01-24 07:19:17 -0800
commit	d56524a3b7973373fb63f667a149aff748e4a217 (patch)
tree	1dded250b5c3d8692d559450aee6ec5105c6ed3a
parent	6ee38fbb23ec7f34aaa63ad19f28546e3c76ceb1 (diff)