diff options
author | Surya Prakash Sivaraj <suryapra@codeaurora.org> | 2021-08-05 10:56:50 +0530 |
---|---|---|
committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-11-15 09:51:56 +0000 |
commit | a9242cd34deaeea9aef26ba56ae2ac1aa528eba2 (patch) | |
tree | 63f4132971af4e2328dec7f2e62b6608d9575950 | |
parent | 31e9e477d5e04432b7611893e150d7654365fddd (diff) | |
download | qca-wfi-host-cmn-a9242cd34deaeea9aef26ba56ae2ac1aa528eba2.tar.gz |
qcacmn: Validate the buffer length in rx mgmt handler
In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.
Bug: 204012850
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331
-rw-r--r-- | wmi/src/wmi_unified_tlv.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 066d3fa3d..ead866dba 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -8671,6 +8671,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle, return QDF_STATUS_E_INVAL; } + if (ev_hdr->buf_len > param_tlvs->num_bufp) { + WMI_LOGE("Rx mgmt frame length mismatch, discard it"); + return QDF_STATUS_E_INVAL; + } + hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host( ev_hdr->pdev_id); |