qcacmn: Validate the buffer length in rx mgmt handler

In the WMI_MGMT_RX_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware is less than or equal to the actual buffer length. Bug: 204012850 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023 CRs-Fixed: 3001331
author: Surya Prakash Sivaraj <suryapra@codeaurora.org> 2021-08-05 10:56:50 +0530
committer: Hsiu Chang Chen <hsiuchangchen@google.com> 2021-11-15 09:51:56 +0000
commit: a9242cd34deaeea9aef26ba56ae2ac1aa528eba2 (patch)
tree: 63f4132971af4e2328dec7f2e62b6608d9575950
parent: 31e9e477d5e04432b7611893e150d7654365fddd (diff)
download: qca-wfi-host-cmn-a9242cd34deaeea9aef26ba56ae2ac1aa528eba2.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 066d3fa3d..ead866dba 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -8671,6 +8671,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_INVAL;
 	}
 
+	if (ev_hdr->buf_len > param_tlvs->num_bufp) {
+		WMI_LOGE("Rx mgmt frame length mismatch, discard it");
+		return QDF_STATUS_E_INVAL;
+	}
+
 	hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
 							ev_hdr->pdev_id);
author	Surya Prakash Sivaraj <suryapra@codeaurora.org>	2021-08-05 10:56:50 +0530
committer	Hsiu Chang Chen <hsiuchangchen@google.com>	2021-11-15 09:51:56 +0000
commit	a9242cd34deaeea9aef26ba56ae2ac1aa528eba2 (patch)
tree	63f4132971af4e2328dec7f2e62b6608d9575950
parent	31e9e477d5e04432b7611893e150d7654365fddd (diff)
download	qca-wfi-host-cmn-a9242cd34deaeea9aef26ba56ae2ac1aa528eba2.tar.gz