From 3963fd07c29d618d35ddd2decd2db009256be110 Mon Sep 17 00:00:00 2001 From: Arif Hussain Date: Fri, 21 Dec 2018 14:58:55 -0800 Subject: qcacmn: Validate number of entries in extract_host_mem_req_tlv() Validate num_mem_reqs should be less than TLV size in extract_host_mem_req_tlv() function. Change-Id: I88ebfc4bfe3abb9b0926990f5f777fc0d62e1fc1 CRs-Fixed: 2347667 --- wmi/src/wmi_unified_tlv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 346879f9865b..95286ee66ad4 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -13027,6 +13027,12 @@ static host_mem_req *extract_host_mem_req_tlv(wmi_unified_t wmi_handle, return NULL; } + if (ev->num_mem_reqs > param_buf->num_mem_reqs) { + WMI_LOGE("Invalid num_mem_reqs %d:%d", + ev->num_mem_reqs, param_buf->num_mem_reqs); + return NULL; + } + *num_entries = ev->num_mem_reqs; return (host_mem_req *)param_buf->mem_reqs; -- cgit v1.2.3