diff options
| author | gaurank kathpalia <gkathpal@codeaurora.org> | 2017-10-23 18:03:08 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-11-05 22:58:40 -0800 |
| commit | eda1587151effdbab26911a6e2ee9f3094d62392 (patch) | |
| tree | 12076313063dfd7851b1f63a526bf1e031ad9934 | |
| parent | 161d2ff06eaaa5c4c4f5207098cc0f7328577809 (diff) | |
qcacld-2.0: Fix Int overflow in wma_radio_chan_stats_event_handler
Currently, value of fix_param->num_chans is received from FW
If the value of variable fix_param->num_chans is very large,
then the derived length of data in the event can be
overflowed.
Add sanity check for fix_param->num_chans to avoid overflow
Change-Id: Iac59550b9ecdd6833d0ad262b51e56b6532941c5
CRs-Fixed: 2114396
| -rw-r--r-- | CORE/SERVICES/WMA/wma_ocb.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma_ocb.c b/CORE/SERVICES/WMA/wma_ocb.c index efd1447f237e..f9c2668b18e7 100644 --- a/CORE/SERVICES/WMA/wma_ocb.c +++ b/CORE/SERVICES/WMA/wma_ocb.c @@ -1136,6 +1136,12 @@ static int wma_radio_chan_stats_event_handler(void *handle, u_int8_t *event, if (!chan_stats) { WMA_LOGE("Invalid radio_chan_stats ptr"); return -EINVAL; + + if (fix_param->num_chans > (UINT32_MAX - sizeof(*resp))/ + sizeof(struct radio_chan_stats_info)) { + WMA_LOGE("%s: number of channels = %d greater thanmax limit", + __func__,fix_param->num_chans); + return -EINVAL; } len = sizeof(*resp) + |
