diff options
| author | abhinav kumar <abhikuma@codeaurora.org> | 2021-08-11 19:28:49 +0530 |
|---|---|---|
| committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-11-15 09:52:32 +0000 |
| commit | e0bcf03283a9f7fa2d38a35c140d020947fa118e (patch) | |
| tree | 43209cba2fff3b76a8bea635e3c668f5170d312a | |
| parent | bb3768591e25cc1a5c6c7f2ecafd8e7dea5fdf00 (diff) | |
| download | qca-wfi-host-cmn-e0bcf03283a9f7fa2d38a35c140d020947fa118e.tar.gz | |
qcacmn: Possible OOB read in process_fw_diag_event_data
API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.
If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.
Fix is to add a sanity check for num_data to avoid the OOB
read.
Bug: 204909067
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
CRs-Fixed: 3001178
| -rw-r--r-- | utils/fwlog/dbglog_host.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/utils/fwlog/dbglog_host.c b/utils/fwlog/dbglog_host.c index fc580f97a..6d3a4917b 100644 --- a/utils/fwlog/dbglog_host.c +++ b/utils/fwlog/dbglog_host.c @@ -1683,7 +1683,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data) uint32_t diag_data_len; /* each fw diag payload */ struct wlan_diag_data *diag_data; - while (num_data > 0) { + while (num_data >= sizeof(struct wlan_diag_data)) { diag_data = (struct wlan_diag_data *)datap; diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0); diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0); |