qcacld-2.0: Fix possible OOB read in ProcDnldRsp

Propagation from cld3.0 to cld2.0. _ In ProcDnldRsp, pHdr->sBufSize is coming from fw message which could not be trusted. Before its use it should ProcDnldRsp should verify it against its max allowed size (UINT_MAX). Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX before its use. Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a CRs-Fixed: 2366509
author: tinlin <tinlin@codeaurora.org> 2018-12-13 19:33:52 +0800
committer: tinlin <tinlin@codeaurora.org> 2018-12-13 19:44:18 +0800
commit: e2ce745edf0e5204fc8bd0725bd6cf32734adfea (patch)
tree: 90ffbc167ce859204c18f0fd6be01cd3ab441f13
parent: fc2ef40c85b875fe9a702d87abff40d2f19816c1 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/CORE/MAC/src/cfg/cfgProcMsg.c b/CORE/MAC/src/cfg/cfgProcMsg.c
index bd51504d9cad..0f5b1217b6bc 100644
--- a/CORE/MAC/src/cfg/cfgProcMsg.c
+++ b/CORE/MAC/src/cfg/cfgProcMsg.c
@@ -2485,6 +2485,14 @@ ProcDnldRsp(tpAniSirGlobal pMac, tANI_U16 length, tANI_U32 *pParam)
     PELOGW(cfgLog(pMac, LOGW, FL("CFG hdr totParams %d intParams %d strBufSize %d/%d"),
            pHdr->controlSize, pHdr->iBufSize, pHdr->sBufSize, pMac->cfg.gCfgMaxSBufSize);)
 
+    if (pHdr->sBufSize > (UINT_MAX -
+        (((WNI_CFG_MAX + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) +
+        sizeof(tCfgBinHdr)))) {
+           PELOGW(cfgLog(pMac, LOGW, FL("Invalid sBufSize coming from fw %d"),
+                  pHdr->sBufSize);)
+           retVal = WNI_CFG_INVALID_LEN;
+           goto end;
+    }
     expLen = ((WNI_CFG_MAX + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) +
              pHdr->sBufSize + sizeof(tCfgBinHdr);
author	tinlin <tinlin@codeaurora.org>	2018-12-13 19:33:52 +0800
committer	tinlin <tinlin@codeaurora.org>	2018-12-13 19:44:18 +0800
commit	e2ce745edf0e5204fc8bd0725bd6cf32734adfea (patch)
tree	90ffbc167ce859204c18f0fd6be01cd3ab441f13
parent	fc2ef40c85b875fe9a702d87abff40d2f19816c1 (diff)