From 5bbb95e64aadcd02dc4bebb1e91308e0bf47403b Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Thu, 4 Oct 2018 12:58:53 +0530 Subject: qcacld-2.0: Check for following radio link stats events When first WMI_RADIO_LINK_STATS_EVENTID is received radio stats buffer is allocated based on num_radio param. There is an option for pending following events. So update wma_unified_link_radio_stats_event_handler to check if following events are valid wrt num_radio values to avoid buffer overwrites. Change-Id: I854538e40481ab071f24b563e1937e2d47a26409 CRs-fixed: 2317883 --- CORE/SERVICES/WMA/wma.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index e6f0c9bc4536..211dd79391ef 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -5445,6 +5445,22 @@ static int wma_unified_link_radio_stats_event_handler(void *handle, } link_stats_results = wma_handle->link_stats_results; + if (link_stats_results->num_radio == 0) { + link_stats_results->num_radio = fixed_param->num_radio; + } else if (link_stats_results->num_radio < fixed_param->num_radio) { + /* + * The link stats results size allocated based on num_radio of + * first event must be same as following events. Otherwise these + * events may be spoofed. Drop all of them and report error. + */ + WMA_LOGE("Invalid following WMI_RADIO_LINK_STATS_EVENTID. Discarding this set"); + rs_results->tx_time_per_power_level = NULL; + vos_mem_free(wma_handle->link_stats_results); + wma_handle->link_stats_results = NULL; + vos_mem_free(rs_results->tx_time_per_power_level); + return -EINVAL; + } + vos_mem_zero(link_stats_results, link_stats_results_size); link_stats_results->paramId = WMI_LINK_STATS_RADIO; -- cgit v1.2.3