qcacld-2.0: Integer overflow in wma_unified_link_peer_stats_event_handler

In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.

Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.

Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2262294

1 files changed, 2 insertions, 2 deletions

diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index d58a33822e52..fe7c7a2069f8 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -5108,7 +5108,7 @@ static int wma_unified_link_peer_stats_event_handler(void *handle,
 	size_t peer_info_size, peer_stats_size, rate_stats_size;
 	size_t link_stats_results_size;
 	bool excess_data = false;
-	u_int32_t buf_len;
+	u_int32_t buf_len = 0;
 
 	tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context(VOS_MODULE_ID_PE,
                                 wma_handle->vos_context);
@@ -5176,7 +5176,7 @@ static int wma_unified_link_peer_stats_event_handler(void *handle,
 	} while (0);
 
 	if (excess_data ||
-		(sizeof(*fixed_param) > WMA_SVC_MSG_MAX_SIZE - buf_len)) {
+	    (buf_len > WMA_SVC_MSG_MAX_SIZE - sizeof(*fixed_param))) {
 		WMA_LOGE("excess wmi buffer: rates:%d, peers:%d",
 			peer_stats->num_rates, fixed_param->num_peers);
 		VOS_ASSERT(0);