diff options
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 4268a359035c..769dd93733f2 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -20923,6 +20923,16 @@ static int wma_tbttoffset_update_event_handler(void *handle, u_int8_t *event, } tbtt_offset_event = param_buf->fixed_param; + + if (param_buf->num_tbttoffset_list > + (UINT_MAX - sizeof(u_int32_t) - + sizeof(wmi_tbtt_offset_event_fixed_param))/ + sizeof(u_int32_t)) { + WMA_LOGE("%s: Received offset list %d greater than maximum limit", + __func__, param_buf->num_tbttoffset_list); + return -EINVAL; + } + buf = vos_mem_malloc(sizeof(wmi_tbtt_offset_event_fixed_param) + sizeof (u_int32_t) + (param_buf->num_tbttoffset_list * sizeof (u_int32_t))); |