qcacld-3.0: Avoid buffer overread when retrieving cnss diag cmd

In cnss_diag_cmd_handler(), add length check for the command attribute.
This prevents possibility of a buffer overread or underrun.
Also add audit comment to express the intent why policy table
is not used in this API.

Change-Id: I023bbf3789498f315fd1bff8db8ef8257abb2b04
CRs-Fixed: 2054778

1 files changed, 10 insertions, 0 deletions

diff --git a/core/utils/fwlog/dbglog_host.c b/core/utils/fwlog/dbglog_host.c
index 0f7a1f3e7b93..0659ab545a58 100644
--- a/core/utils/fwlog/dbglog_host.c
+++ b/core/utils/fwlog/dbglog_host.c
@@ -4173,6 +4173,10 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 	struct dbglog_slot *slot = NULL;
 	struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1];
 
+	/*
+	 * audit note: it is ok to pass a NULL policy here since a
+	 * length check on the data is added later already
+	 */
 	if (nla_parse(tb, CLD80211_ATTR_MAX, data, data_len, NULL)) {
 		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: nla parse fails\n",
 							__func__));
@@ -4184,6 +4188,12 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 								__func__));
 		return;
 	}
+
+	if (nla_len(tb[CLD80211_ATTR_DATA]) != sizeof(struct dbglog_slot)) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length check fails\n",
+				__func__));
+		return;
+	}
 	slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]);
 
 	if (!slot) {