qcacld-2.0: Fix buffer overwrite in wma_pdev_div_info_evt_handler()

Currently, event->num_chains_valid received from FW is used to check upper bound of chain rssi array which is allocated only for fixed size of chain_rssi_result structure. If event->num_chains_valid received from FW is greater than size of chain_rssi_result structure, buffer overwrite will occur. Add sanity check to make sure event->num_chains_valid is not greater than CHAIN_MAX_NUM. Change-Id: I25296cb122b40bd03fab663ce48104ccab6827a3 CRs-Fixed: 2113385
author: Abhinav Kumar <abhikuma@codeaurora.org> 2017-10-22 19:23:03 +0530
committer: snandini <snandini@codeaurora.org> 2017-11-05 21:52:45 -0800
commit: ea4459a044783649b1695653f848647c68bee69d (patch)
tree: f2a7cd21d434ec21dfd098f7b1afa566fb0a995e
parent: 247ef5346d27a759648de6f76e4832db74247fc1 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 3349c81a68fd..1df6fd2ebf12 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -6400,6 +6400,12 @@ static int wma_pdev_div_info_evt_handler(void *handle, u_int8_t *event_buf,
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&event->macaddr, macaddr);
 	WMA_LOGD(FL("macaddr: " MAC_ADDRESS_STR), MAC_ADDR_ARRAY(macaddr));
 
+	if (event->num_chains_valid > CHAIN_MAX_NUM) {
+		WMA_LOGD("Sizing down the chains no %d to max",
+			  event->num_chains_valid);
+		event->num_chains_valid = CHAIN_MAX_NUM;
+	}
+
 	WMA_LOGD(FL("num_chains_valid: %d"), event->num_chains_valid);
 	chain_rssi_result.num_chains_valid = event->num_chains_valid;
author	Abhinav Kumar <abhikuma@codeaurora.org>	2017-10-22 19:23:03 +0530
committer	snandini <snandini@codeaurora.org>	2017-11-05 21:52:45 -0800
commit	ea4459a044783649b1695653f848647c68bee69d (patch)
tree	f2a7cd21d434ec21dfd098f7b1afa566fb0a995e
parent	247ef5346d27a759648de6f76e4832db74247fc1 (diff)