diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-01-17 16:01:28 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-01-18 00:46:04 -0800 |
| commit | f9dcf11bf89613e783bde7ec652172c7a5003d4f (patch) | |
| tree | 1ea74ddfeb804c366fd51903fc0e65e8aa4a5d64 | |
| parent | 60a730f59af08ca9875bc837630fc066c2acce66 (diff) | |
qcacld-2.0: Add sanity check for wma_ndp_confirm_event_handler
Add sanity check for wma_ndp_confirm_event_handler and
wma_ndp_indication_event_handler to prevent OOB access.
Change-Id: I9ecf55a3606036d3e1f0916c948c4360475965fa
CRs-Fixed: 2170668
| -rw-r--r-- | CORE/SERVICES/WMA/wma_nan_datapath.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/CORE/SERVICES/WMA/wma_nan_datapath.c b/CORE/SERVICES/WMA/wma_nan_datapath.c index adaca2127898..5680de022f4c 100644 --- a/CORE/SERVICES/WMA/wma_nan_datapath.c +++ b/CORE/SERVICES/WMA/wma_nan_datapath.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -487,6 +487,18 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t *event_info, fixed_params = (wmi_ndp_indication_event_fixed_param *)event->fixed_param; + if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) { + WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d", + fixed_params->ndp_cfg_len, event->num_ndp_cfg); + return -EINVAL; + } + + if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) { + WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d", + fixed_params->ndp_app_info_len, event->num_ndp_app_info); + return -EINVAL; + } + ind_event = vos_mem_malloc(sizeof(*ind_event)); if (!ind_event) { WMA_LOGP(FL("Failed to allocate memory")); @@ -648,10 +660,20 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info, fixed_params->reason_code, fixed_params->num_active_ndps_on_peer); + if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) { + WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d", + fixed_params->ndp_cfg_len, event->num_ndp_cfg); + return -EINVAL; + } WMA_LOGE(FL("ndp_cfg - %d bytes"), fixed_params->ndp_cfg_len); VOS_TRACE_HEX_DUMP(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_DEBUG, &event->ndp_cfg, fixed_params->ndp_cfg_len); + if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) { + WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d", + fixed_params->ndp_app_info_len, event->num_ndp_app_info); + return -EINVAL; + } WMA_LOGE(FL("ndp_app_info - %d bytes"), fixed_params->ndp_app_info_len); VOS_TRACE_HEX_DUMP(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_DEBUG, &event->ndp_app_info, fixed_params->ndp_app_info_len); |