From fe50df3142c382c83cbdefd50bb277f623247f06 Mon Sep 17 00:00:00 2001 From: jitiphil Date: Thu, 9 Aug 2018 14:17:54 +0530 Subject: qcacld-2.0: Integer overflow in wma_unified_link_peer_stats_event_handler In wma_unified_link_peer_stats_event_handler a check for excess WMI buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and buffer length with size of wmi_peer_stats_event_fixed_param. In case the buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer length is an unsigned integer, it causes an integer overflow and results in a very large value, thus invalidating the check. Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size of wmi_peer_stats_event_fixed_param with the buffer length which prevents chance of integer overflow. Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff CRs-Fixed: 2262294 --- CORE/SERVICES/WMA/wma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index d58a33822e52..fe7c7a2069f8 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -5108,7 +5108,7 @@ static int wma_unified_link_peer_stats_event_handler(void *handle, size_t peer_info_size, peer_stats_size, rate_stats_size; size_t link_stats_results_size; bool excess_data = false; - u_int32_t buf_len; + u_int32_t buf_len = 0; tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context(VOS_MODULE_ID_PE, wma_handle->vos_context); @@ -5176,7 +5176,7 @@ static int wma_unified_link_peer_stats_event_handler(void *handle, } while (0); if (excess_data || - (sizeof(*fixed_param) > WMA_SVC_MSG_MAX_SIZE - buf_len)) { + (buf_len > WMA_SVC_MSG_MAX_SIZE - sizeof(*fixed_param))) { WMA_LOGE("excess wmi buffer: rates:%d, peers:%d", peer_stats->num_rates, fixed_param->num_peers); VOS_ASSERT(0); -- cgit v1.2.3