From 2377fadff8982edf23c6d39c75bc7f98324327ca Mon Sep 17 00:00:00 2001 From: Paul Zhang Date: Tue, 26 Sep 2017 13:34:59 +0800 Subject: qcacld-3.0: Prevent buffer overflow qcacld-2.0 to qcacld-3.0 propagation In function wlanqcmbr_mc_process_msg, variable data_len is from message, which should not be trusted. Buffer overflow will happen if using it directory to copy data to utf_buf. Change-Id: I21479f510b95e6ced214f80d942db919837e8324 CRs-Fixed: 2116449 --- core/hdd/src/wlan_hdd_ftm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/hdd/src/wlan_hdd_ftm.c b/core/hdd/src/wlan_hdd_ftm.c index 62f6ebf730d2..daca6641c2dd 100644 --- a/core/hdd/src/wlan_hdd_ftm.c +++ b/core/hdd/src/wlan_hdd_ftm.c @@ -333,6 +333,9 @@ static void wlanqcmbr_mc_process_msg(void *message) uint32_t data_len; data_len = *((uint32_t *) message) + sizeof(uint32_t); + if (data_len > MAX_UTF_LENGTH + 4) + return; + qcmbr_buf = qdf_mem_malloc(sizeof(qcmbr_queue_t)); if (qcmbr_buf != NULL) { memcpy(qcmbr_buf->utf_buf, message, data_len); -- cgit v1.2.3