diff options
author | Surya Prakash Sivaraj <suryapra@codeaurora.org> | 2021-08-12 14:05:25 +0530 |
---|---|---|
committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-11-22 11:19:49 +0000 |
commit | 68cc170b5b6a7a3933b546a5b5b3126a618a3646 (patch) | |
tree | 17102dd3aadc95c40bc5e2633c5505ea90bc075f | |
parent | e0bcf03283a9f7fa2d38a35c140d020947fa118e (diff) | |
download | qca-wfi-host-cmn-68cc170b5b6a7a3933b546a5b5b3126a618a3646.tar.gz |
qcacmn: Validate the buffer length in fips event handlerandroid-s-v2-beta-2_r0.5android-msm-barbet-4.19-android12-v2-beta-2
In the WMI_PDEV_FIPS_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
in fixed params is less than or equal to the actual buffer
length before processing the data.
Bug: 206300486
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06
CRs-Fixed: 3009887
-rw-r--r-- | wmi/src/wmi_unified_tlv.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index ead866dba..0a11afc7a 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -10205,6 +10205,9 @@ static QDF_STATUS extract_fips_event_data_tlv(wmi_unified_t wmi_handle, param_buf = (WMI_PDEV_FIPS_EVENTID_param_tlvs *) evt_buf; event = (wmi_pdev_fips_event_fixed_param *) param_buf->fixed_param; + if (event->data_len > param_buf->num_data) + return QDF_STATUS_E_FAILURE; + if (fips_conv_data_be(event->data_len, param_buf->data) != QDF_STATUS_SUCCESS) return QDF_STATUS_E_FAILURE; |