diff options
author | Dennis Cagle <d-cagle@codeaurora.org> | 2017-12-04 18:00:50 -0800 |
---|---|---|
committer | Thierry Strudel <tstrudel@google.com> | 2017-12-06 21:39:40 +0000 |
commit | 674349727b4e01cfe0ebe0be33ad82e60773aaa8 (patch) | |
tree | c32844cfd53bf3b04d21822422879c41cdc2f1ef | |
parent | 8018564f61008a2abdab3e9d6c851c16d2a66803 (diff) |
qcacld-2.0: Add sanity check to avoid overflow in WMI event dataandroid-8.1.0_r0.24
In WMA, data from firmware event buffer is used without
sanity checks for upper limit. This might lead to a potential
integer overflow further leading to buffer corruption.
Add sanity check to avoid integer overflow.
Change-Id: Id47e12015a4d46af24180b621b52ffcb17596c07
CRs-Fixed: 2113919
Bug: 68992426
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c index 006f89bb9124..1c7e3fdb5923 100644 --- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c +++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c @@ -5264,6 +5264,14 @@ static int wma_unified_power_debug_stats_event_handler(void *handle, return -EINVAL; } + if (param_buf->num_debug_register > ((WMA_SVC_MSG_MAX_SIZE - + sizeof(wmi_pdev_chip_power_stats_event_fixed_param)) / + sizeof(uint32_t))) { + WMA_LOGE("excess payload: LEN num_debug_register:%u", + param_buf->num_debug_register); + return -EINVAL; + } + debug_registers = param_tlvs->debug_registers; stats_registers_len = (sizeof(uint32_t) * param_buf->num_debug_register); |