diff options
author | Surya Prakash Sivaraj <suryapra@codeaurora.org> | 2021-08-05 10:56:50 +0530 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2021-11-15 17:41:57 +0800 |
commit | 15e52d0a9bd8963862a7660424c4040de15ef354 (patch) | |
tree | 63f4132971af4e2328dec7f2e62b6608d9575950 | |
parent | 260c68c1611d74314bc3e6f15bfb2f6504173aca (diff) | |
download | qca-wfi-host-cmn-15e52d0a9bd8963862a7660424c4040de15ef354.tar.gz |
qcacmn: Validate the buffer length in rx mgmt handler
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.
Bug: 204012850
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
-rw-r--r-- | wmi/src/wmi_unified_tlv.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 066d3fa3d..ead866dba 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -8671,6 +8671,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle, return QDF_STATUS_E_INVAL; } + if (ev_hdr->buf_len > param_tlvs->num_bufp) { + WMI_LOGE("Rx mgmt frame length mismatch, discard it"); + return QDF_STATUS_E_INVAL; + } + hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host( ev_hdr->pdev_id); |