Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15android-15-beta-1_r0.7android-gs-shusky-5.15-android15-dp

SBMerger: 610748217
Change-Id: Icfd1d8998bb641e83bc28e548e1647960bd85e83
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

1 files changed, 7 insertions, 4 deletions

diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c
index ecbdd10..6d42469 100644
--- a/dhd_msgbuf.c
+++ b/dhd_msgbuf.c
@@ -12483,10 +12483,13 @@ dhd_fillup_ioct_reqst(dhd_pub_t *dhd, uint16 len, uint cmd, void* buf, int ifidx
 	rqstlen = len;
 	resplen = len;
 
-	/* Limit ioct request to MSGBUF_MAX_MSG_SIZE bytes including hdrs */
-	/* 8K allocation of dongle buffer fails */
-	/* dhd doesnt give separate input & output buf lens */
-	/* so making the assumption that input length can never be more than 2k */
+	/* fail 'set' ioctl request if len > MSGBUF_MAX_MSG_SIZE bytes including hdrs */
+	if ((action & WL_IOCTL_ACTION_SET) && (rqstlen > MSGBUF_IOCTL_MAX_RQSTLEN)) {
+		DHD_ERROR(("%s: rqstlen(%u) larger than %u\n", __FUNCTION__, rqstlen,
+			MSGBUF_IOCTL_MAX_RQSTLEN));
+		return BCME_BADLEN;
+	}
+
 	rqstlen = MIN(rqstlen, MSGBUF_IOCTL_MAX_RQSTLEN);
 
 #ifdef PCIE_INB_DW