diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2018-09-17 18:07:27 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-10-11 07:38:34 -0700 |
| commit | e698cdcc426658f015cbd3287ad9d129174564f2 (patch) | |
| tree | b94dd6cc8e432400a3d97083130474e230dd5cff | |
| parent | 98083231e5f4f6a4bcc8ac5181c03a53e128978d (diff) | |
qcacld-3.0: Fix possible OOB read in proc_dnld_rsp
In proc_dnld_rsp, pHdr->sBufSize is coming from fw message
which could not be trusted. Before its use it should proc_dnld_rsp
should verify it against its max allowed size (UINT_MAX).
Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX
before its use.
Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a
CRs-Fixed: 2308333
| -rw-r--r-- | core/mac/src/cfg/cfg_proc_msg.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/mac/src/cfg/cfg_proc_msg.c b/core/mac/src/cfg/cfg_proc_msg.c index 14c64325eb38..acc40f750048 100644 --- a/core/mac/src/cfg/cfg_proc_msg.c +++ b/core/mac/src/cfg/cfg_proc_msg.c @@ -1540,6 +1540,13 @@ static void proc_dnld_rsp(tpAniSirGlobal pMac, uint16_t length, uint32_t *pParam pHdr->controlSize, pHdr->iBufSize, pHdr->sBufSize, pMac->cfg.gCfgMaxSBufSize); + if (pHdr->sBufSize > (UINT_MAX - + (((CFG_PARAM_MAX_NUM + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) + + sizeof(tCfgBinHdr)))) { + pe_warn("Invalid sBufSize coming from fw %d", pHdr->sBufSize); + retVal = WNI_CFG_INVALID_LEN; + goto end; + } expLen = ((CFG_PARAM_MAX_NUM + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) + pHdr->sBufSize + sizeof(tCfgBinHdr); |