2 files changed, 16 insertions, 0 deletions

diff --git a/core/wma/src/wma_ocb.c b/core/wma/src/wma_ocb.c
index 16e9e3ef167a..745a7868052c 100644
--- a/core/wma/src/wma_ocb.c
+++ b/core/wma/src/wma_ocb.c
@@ -675,6 +675,14 @@ static int wma_dcc_stats_event_handler(void *handle, uint8_t *event_buf,
 	response->num_channels = fix_param->num_channels;
 	response->channel_stats_array_len =
 		fix_param->num_channels * sizeof(wmi_dcc_ndl_stats_per_channel);
+
+	if (fix_param->num_channels > param_tlvs->num_stats_per_channel_list) {
+		WMA_LOGE("FW message num_chan %d more than TLV hdr %d",
+			 fix_param->num_channels,
+			 param_tlvs->num_stats_per_channel_list);
+		return -EINVAL;
+	}
+
 	response->channel_stats_array = ((void *)response) + sizeof(*response);
 	qdf_mem_copy(response->channel_stats_array,
 		     param_tlvs->stats_per_channel_list,
diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c
index 6aac284c497b..d9ed6e2678bb 100644
--- a/core/wma/src/wma_scan_roam.c
+++ b/core/wma/src/wma_scan_roam.c
@@ -4218,6 +4218,14 @@ int wma_extscan_operations_event_handler(void *handle,
 	case WMI_EXTSCAN_CYCLE_STARTED_EVENT:
 		WMA_LOGD("%s: received WMI_EXTSCAN_CYCLE_STARTED_EVENT",
 			 __func__);
+
+		if (oprn_event->num_buckets > param_buf->num_bucket_id) {
+			WMA_LOGE("FW mesg num_buk %d more than TLV hdr %d",
+				 oprn_event->num_buckets,
+				 param_buf->num_bucket_id);
+			return -EINVAL;
+		}
+
 		cds_host_diag_log_work(&wma->extscan_wake_lock,
 				       WMA_EXTSCAN_CYCLE_WAKE_LOCK_DURATION,
 				       WIFI_POWER_EVENT_WAKELOCK_EXT_SCAN);