From f03212985e9c6a0cdb06eab6312e4eb08cb6cc87 Mon Sep 17 00:00:00 2001 From: Himanshu Agarwal Date: Wed, 11 Oct 2017 13:56:51 +0530 Subject: qcacld-3.0: Fix input validation for wow_buf_pkt_len To avoid out of bound memory access of wow_packet_buffer in wma_wow_wakeup_host_event(), we just need to check that the wow_buf_pkt_len obtained from first 4 bytes of wow_packet_buffer is not more than (num_wow_packet_buffer - 4). Fix input validation for wow_buf_pkt_len in wma_wow_wakeup_host_event(). Change-Id: Id7bf72ccbe2d06c32c1050d69a5a9d35ac8b15e9 CRs-Fixed: 2124643 --- core/wma/src/wma_features.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index 1d06cb99d580..137c823cc2a3 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -4673,18 +4673,22 @@ int wma_wow_wakeup_host_event(void *handle, uint8_t *event, qdf_event_set(&wma->wma_resume_event); - if (param_buf->wow_packet_buffer && - tlv_check_required(wake_info->wake_reason)) { + if (param_buf->wow_packet_buffer) { /* * In case of wow_packet_buffer, first 4 bytes is the length. * Following the length is the actual buffer. */ wow_buf_pkt_len = *(uint32_t *)param_buf->wow_packet_buffer; - if (wow_buf_pkt_len != - param_buf->num_wow_packet_buffer - 4) { - WMA_LOGE("Invalid wow buf pkt len from firmware"); + if (wow_buf_pkt_len > (param_buf->num_wow_packet_buffer - 4)) { + WMA_LOGE("Invalid wow buf pkt len from firmware, wow_buf_pkt_len: %u, num_wow_packet_buffer: %u", + wow_buf_pkt_len, + param_buf->num_wow_packet_buffer); return -EINVAL; } + } + + if (param_buf->wow_packet_buffer && + tlv_check_required(wake_info->wake_reason)) { tlv_hdr = WMITLV_GET_HDR( (uint8_t *)param_buf->wow_packet_buffer + 4); @@ -4719,9 +4723,6 @@ int wma_wow_wakeup_host_event(void *handle, uint8_t *event, case WOW_REASON_BEACON_RECV: case WOW_REASON_ACTION_FRAME_RECV: if (param_buf->wow_packet_buffer) { - /* First 4-bytes of wow_packet_buffer is the length */ - qdf_mem_copy((uint8_t *) &wow_buf_pkt_len, - param_buf->wow_packet_buffer, 4); if (wow_buf_pkt_len) wma_wow_dump_mgmt_buffer( param_buf->wow_packet_buffer, @@ -4793,9 +4794,6 @@ int wma_wow_wakeup_host_event(void *handle, uint8_t *event, break; } - /* First 4-bytes of wow_packet_buffer is the length */ - qdf_mem_copy((uint8_t *)&wow_buf_pkt_len, - param_buf->wow_packet_buffer, 4); if (wow_buf_pkt_len == 0) { WMA_LOGE("wow packet buffer is empty"); break; -- cgit v1.2.3