diff options
| author | Debasis Das <ddas@codeaurora.org> | 2018-04-04 17:17:55 +0530 |
|---|---|---|
| committer | Debasis Das <ddas@codeaurora.org> | 2020-01-21 15:03:35 +0530 |
| commit | 7789c4682b931c9e911f934e727ac5d9cb0b6087 (patch) | |
| tree | 90e2c046e5e09c70aed05c55725f2932820d52bc /wmi/src | |
| parent | 35e0ae41c368c9f8ec341cfee7ab28a381ff3da6 (diff) | |
qcacmn: Fix Integer Overflow Leading to Buffer Overflow
wmi_buf_alloc() API expects length to be passed of type
uint16_t. However, the callers pass uint32_t to it.
This might result in overflow and illegal memory access
thereafter. The fix is to modify the API signature accordingly.
Change-Id: If09da4978d421269b884f7d3c933c49c81651475
CRs-Fixed: 2218346
Diffstat (limited to 'wmi/src')
| -rw-r--r-- | wmi/src/wmi_unified.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/wmi/src/wmi_unified.c b/wmi/src/wmi_unified.c index 9aa0a8b0faad..2123435149e4 100644 --- a/wmi/src/wmi_unified.c +++ b/wmi/src/wmi_unified.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2015-2018,2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -1201,8 +1201,8 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle); #ifdef MEMORY_DEBUG wmi_buf_t -wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name, - uint32_t line_num) +wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name, + uint32_t line_num) { wmi_buf_t wmi_buf; @@ -1235,7 +1235,7 @@ void wmi_buf_free(wmi_buf_t net_buf) qdf_nbuf_free(net_buf); } #else -wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len) +wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len) { wmi_buf_t wmi_buf; |