From 7a8639875bb01bca2dcac7bda9e5d986fbf8683f Mon Sep 17 00:00:00 2001 From: gaolez Date: Tue, 24 Apr 2018 19:31:28 +0800 Subject: qcacld-2.0: Add length check in ndp event handler Add length check to prevent the data overflow the wmi buffer. The total length of data should not exceed max svc msg size. CRs-Fixed: 2225113 Change-Id: I1543732fcfe0cb7e32f7175f7775c9550854cae8 --- CORE/SERVICES/WMA/wma_nan_datapath.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/CORE/SERVICES/WMA/wma_nan_datapath.c b/CORE/SERVICES/WMA/wma_nan_datapath.c index 5680de022f4c..c9ea6a2c4f00 100644 --- a/CORE/SERVICES/WMA/wma_nan_datapath.c +++ b/CORE/SERVICES/WMA/wma_nan_datapath.c @@ -482,6 +482,7 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t *event_info, vos_msg_t pe_msg = {0}; struct ndp_indication_event *ind_event; VOS_STATUS status; + size_t total_array_len = 0; event = (WMI_NDP_INDICATION_EVENTID_param_tlvs *)event_info; fixed_params = @@ -499,6 +500,32 @@ static int wma_ndp_indication_event_handler(void *handle, uint8_t *event_info, return -EINVAL; } + if (fixed_params->ndp_cfg_len > + (WMA_SVC_MSG_MAX_SIZE - sizeof(*fixed_params))) { + WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d", + __func__, fixed_params->ndp_cfg_len); + return -EINVAL; + } else { + total_array_len = fixed_params->ndp_cfg_len + + sizeof(*fixed_params); + } + + if (fixed_params->ndp_app_info_len > + (WMA_SVC_MSG_MAX_SIZE - total_array_len)) { + WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d", + __func__, fixed_params->ndp_app_info_len); + return -EINVAL; + } else { + total_array_len += fixed_params->ndp_app_info_len; + } + + if (fixed_params->nan_scid_len > + (WMA_SVC_MSG_MAX_SIZE - total_array_len)) { + WMA_LOGE("%s: excess wmi buffer: ndp_cfg_len %d", + __func__, fixed_params->nan_scid_len); + return -EINVAL; + } + ind_event = vos_mem_malloc(sizeof(*ind_event)); if (!ind_event) { WMA_LOGP(FL("Failed to allocate memory")); -- cgit v1.2.3