diff options
| author | Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> | 2018-06-22 18:21:01 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-07-03 08:24:03 -0700 |
| commit | e706c8654a91b7a2bbdfcbf6903c0275245152cc (patch) | |
| tree | ff343d4c539ada73bebefb026bf3eef5bbf3f018 | |
| parent | 846d6291adce261eed9dbbdef6c82e6dc872f67e (diff) | |
qcacld-3.0: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler
Data len received in encrypt decrypt data response
is not validated against the max allowed size. This
can result in buffer overflow.
Fix is to validate data len against max allowed size.
Change-Id: I69bd8e63014220e5a2f291e4a0b1914d10c79fd7
CRs-Fixed: 2226375
| -rw-r--r-- | core/wma/src/wma_features.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index 0519fd99e5a9..248ff3d583c9 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -10907,7 +10907,9 @@ int wma_encrypt_decrypt_msg_handler(void *handle, uint8_t *data, encrypt_decrypt_rsp_params.vdev_id = data_event->vdev_id; encrypt_decrypt_rsp_params.status = data_event->status; - if (data_event->data_length > param_buf->num_enc80211_frame) { + if ((data_event->data_length > param_buf->num_enc80211_frame) || + (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE - + sizeof(*data_event))) { WMA_LOGE("FW msg data_len %d more than TLV hdr %d", data_event->data_length, param_buf->num_enc80211_frame); |