diff options
author | Surya Prakash Sivaraj <suryapra@codeaurora.org> | 2021-08-12 14:05:25 +0530 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2021-12-03 01:33:25 +0000 |
commit | 178bd65d31a2311173838b08286ac046e491932e (patch) | |
tree | cbdef75d3dea8d4db4d8230da6300c0ceb0bb5b8 | |
parent | 1bf70932fe55c12d25748c95e631f0f92deb40f9 (diff) | |
download | qca-wfi-host-cmn-178bd65d31a2311173838b08286ac046e491932e.tar.gz |
qcacmn: Validate the buffer length in fips event handler
In the WMI_PDEV_FIPS_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
in fixed params is less than or equal to the actual buffer
length before processing the data.
Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06
CRs-Fixed: 3009887
Bug: 206300486
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
-rwxr-xr-x | wmi/src/wmi_unified_tlv.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 5316ca7a4..b15f07a16 100755 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -20516,6 +20516,9 @@ static QDF_STATUS extract_fips_event_data_tlv(wmi_unified_t wmi_handle, param_buf = (WMI_PDEV_FIPS_EVENTID_param_tlvs *) evt_buf; event = (wmi_pdev_fips_event_fixed_param *) param_buf->fixed_param; + if (event->data_len > param_buf->num_data) + return QDF_STATUS_E_FAILURE; + if (fips_conv_data_be(event->data_len, param_buf->data) != QDF_STATUS_SUCCESS) return QDF_STATUS_E_FAILURE; |