qcacld-2.0: Fix possible OOB access while sending NAN msg to firmware

Fix possible OOB access while sending NAN msg to firmware, by checking data len calculation against integer overflow and making sure data len to be less than max wmi msg size. Change-Id: I98f42b9924a1810282ae3bca031cd5a1e3dd4047 CRs-Fixed: 2350914
author: tinlin <tinlin@codeaurora.org> 2018-11-16 14:10:38 +0800
committer: tinlin <tinlin@codeaurora.org> 2018-11-16 14:10:38 +0800
commit: f031013a654310d8388b3a20bc7d9526e4a175d4 (patch)
tree: 54bebe1390884ac40aafa8b8c0098ffca3c66dee
parent: b4036eac15ca566812fa5fdac596b9e1edc9645e (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 4491528675eb..22f3cb96383d 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -31920,6 +31920,18 @@ static VOS_STATUS wma_nan_req(void *wda_handle, tpNanRequest nan_req)
 	nan_data_len = nan_req->request_data_len;
 	nan_data_len_aligned = roundup(nan_req->request_data_len,
 				sizeof(u_int32_t));
+	if (nan_data_len_aligned < nan_req->request_data_len) {
+		WMA_LOGE("%s: integer overflow while rounding up data_len",
+			 __func__);
+		return VOS_STATUS_E_NOMEM;
+	}
+
+	if (nan_data_len_aligned > WMA_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE) {
+		WMA_LOGE("%s: wmi_max_msg_size overflow for given datalen",
+			 __func__);
+		return VOS_STATUS_E_NOMEM;
+	}
+
 	len += WMI_TLV_HDR_SIZE + nan_data_len_aligned;
 	buf = wmi_buf_alloc(wma_handle->wmi_handle, len);
 	if (!buf) {
author	tinlin <tinlin@codeaurora.org>	2018-11-16 14:10:38 +0800
committer	tinlin <tinlin@codeaurora.org>	2018-11-16 14:10:38 +0800
commit	f031013a654310d8388b3a20bc7d9526e4a175d4 (patch)
tree	54bebe1390884ac40aafa8b8c0098ffca3c66dee
parent	b4036eac15ca566812fa5fdac596b9e1edc9645e (diff)