qcacmn: Validate the buffer length in fips event handler

In the WMI_PDEV_FIPS_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware in fixed params is less than or equal to the actual buffer length before processing the data. Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06 CRs-Fixed: 3009887 Bug: 206300486 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
author: Surya Prakash Sivaraj <suryapra@codeaurora.org> 2021-08-12 14:05:25 +0530
committer: Paul Chen <chenpaul@google.com> 2021-12-03 01:33:25 +0000
commit: 178bd65d31a2311173838b08286ac046e491932e (patch)
tree: cbdef75d3dea8d4db4d8230da6300c0ceb0bb5b8
parent: 1bf70932fe55c12d25748c95e631f0f92deb40f9 (diff)
download: qca-wfi-host-cmn-178bd65d31a2311173838b08286ac046e491932e.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 5316ca7a4..b15f07a16 100755
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -20516,6 +20516,9 @@ static QDF_STATUS extract_fips_event_data_tlv(wmi_unified_t wmi_handle,
 	param_buf = (WMI_PDEV_FIPS_EVENTID_param_tlvs *) evt_buf;
 	event = (wmi_pdev_fips_event_fixed_param *) param_buf->fixed_param;
 
+	if (event->data_len > param_buf->num_data)
+		return QDF_STATUS_E_FAILURE;
+
 	if (fips_conv_data_be(event->data_len, param_buf->data) !=
 							QDF_STATUS_SUCCESS)
 		return QDF_STATUS_E_FAILURE;
author	Surya Prakash Sivaraj <suryapra@codeaurora.org>	2021-08-12 14:05:25 +0530
committer	Paul Chen <chenpaul@google.com>	2021-12-03 01:33:25 +0000
commit	178bd65d31a2311173838b08286ac046e491932e (patch)
tree	cbdef75d3dea8d4db4d8230da6300c0ceb0bb5b8
parent	1bf70932fe55c12d25748c95e631f0f92deb40f9 (diff)
download	qca-wfi-host-cmn-178bd65d31a2311173838b08286ac046e491932e.tar.gz