diff options
author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2024-03-03 18:41:36 -0800 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2024-03-03 18:41:37 -0800 |
commit | 4689f3747d62ae9ce240e018f2304c597aad98cd (patch) | |
tree | e881b9ed0141532231234de1bf6b7a0351d973c5 | |
parent | 1beb5ab50a4d4526646c5b89c18b68d83bf09d2c (diff) | |
parent | 64492487aeff10809ecd9229222e04ccb06ecb17 (diff) | |
download | bcm4398-android-gs-shusky-5.15-android15-dp.tar.gz |
Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15android-15-beta-1_r0.7android-gs-shusky-5.15-android15-dp
SBMerger: 610748217
Change-Id: Icfd1d8998bb641e83bc28e548e1647960bd85e83
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | dhd_msgbuf.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c index ecbdd10..6d42469 100644 --- a/dhd_msgbuf.c +++ b/dhd_msgbuf.c @@ -12483,10 +12483,13 @@ dhd_fillup_ioct_reqst(dhd_pub_t *dhd, uint16 len, uint cmd, void* buf, int ifidx rqstlen = len; resplen = len; - /* Limit ioct request to MSGBUF_MAX_MSG_SIZE bytes including hdrs */ - /* 8K allocation of dongle buffer fails */ - /* dhd doesnt give separate input & output buf lens */ - /* so making the assumption that input length can never be more than 2k */ + /* fail 'set' ioctl request if len > MSGBUF_MAX_MSG_SIZE bytes including hdrs */ + if ((action & WL_IOCTL_ACTION_SET) && (rqstlen > MSGBUF_IOCTL_MAX_RQSTLEN)) { + DHD_ERROR(("%s: rqstlen(%u) larger than %u\n", __FUNCTION__, rqstlen, + MSGBUF_IOCTL_MAX_RQSTLEN)); + return BCME_BADLEN; + } + rqstlen = MIN(rqstlen, MSGBUF_IOCTL_MAX_RQSTLEN); #ifdef PCIE_INB_DW |