diff options
author | Ajay <ajay.davanageri@broadcom.com> | 2021-08-30 15:00:45 +0530 |
---|---|---|
committer | Ahmed ElArabawy <arabawy@google.com> | 2021-09-08 00:02:41 +0000 |
commit | ed800a513e171fc5ee1bc90dbd5b5d56e19b0c2b (patch) | |
tree | 126b09a93cf6a0d13c7faefcd77792d46a65ec89 | |
parent | e3c53e71cebb6a27a7f6e5e03e6489305208a1ac (diff) | |
download | wlan-ed800a513e171fc5ee1bc90dbd5b5d56e19b0c2b.tar.gz |
Additional logs and checks to prevent OOB in ring status path.android-12.0.0_r32android-12.0.0_r29android-12.0.0_r27android-12.0.0_r21android-12.0.0_r20android-12.0.0_r19android-12.0.0_r18android12-qpr1-d-s3-releaseandroid12-qpr1-d-s2-releaseandroid12-qpr1-d-s1-releaseandroid12-qpr1-d-release
Bug: 197330639
Test: Verified build on hikey960 platform.
Change-Id: I0e8c4f3cdf339dc5e4e7e43650bb22daadbcae5f
Merged-In: I0e8c4f3cdf339dc5e4e7e43650bb22daadbcae5f
(cherry picked from commit 6389e22db1738bbbfe7ce25753252d18d637e52b)
Change-Id: I13e21ff9a50cfb1fa5b9c725d641d8840b1e0013
-rwxr-xr-x | bcmdhd/wifi_hal/wifi_logger.cpp | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/bcmdhd/wifi_hal/wifi_logger.cpp b/bcmdhd/wifi_hal/wifi_logger.cpp index a9f9506..440d9ba 100755 --- a/bcmdhd/wifi_hal/wifi_logger.cpp +++ b/bcmdhd/wifi_hal/wifi_logger.cpp @@ -419,7 +419,7 @@ public: } int start() { - // ALOGD("Start debug command"); + ALOGD("Start debug command"); WifiRequest request(familyId(), ifaceId()); int result = createRequest(request); if (result != WIFI_SUCCESS) { @@ -435,7 +435,7 @@ public: } virtual int handleResponse(WifiEvent& reply) { - ALOGD("In DebugCommand::handleResponse"); + ALOGD("In DebugCommand::handleResponse, mType:%d\n", mType); if (reply.get_cmd() != NL80211_CMD_VENDOR) { ALOGD("Ignoring reply with cmd = %d", reply.get_cmd()); @@ -490,9 +490,15 @@ public: it.next(); for (unsigned int i = 0; it.has_next() && i < *mNumRings; it.next()) { if (it.get_type() == LOGGER_ATTRIBUTE_RING_STATUS) { - memcpy(status, it.get_data(), sizeof(wifi_ring_buffer_status)); - i++; - status++; + if (it.get_len() > sizeof(wifi_ring_buffer_status)) { + ALOGE("ring status unexpected len = %d, dest len = %lu", + it.get_len(), sizeof(wifi_ring_buffer_status)); + return NL_SKIP; + } else { + memcpy(status, it.get_data(), sizeof(wifi_ring_buffer_status)); + i++; + status++; + } } else { ALOGW("Ignoring invalid attribute type = %d, size = %d", it.get_type(), it.get_len()); @@ -699,16 +705,23 @@ public: return NL_SKIP; } - if(event_id == GOOGLE_DEBUG_RING_EVENT) { + if (event_id == GOOGLE_DEBUG_RING_EVENT) { wifi_ring_buffer_status status; memset(&status, 0, sizeof(status)); for (nl_iterator it(vendor_data); it.has_next(); it.next()) { if (it.get_type() == LOGGER_ATTRIBUTE_RING_STATUS) { - memcpy(&status, it.get_data(), sizeof(status)); + if (it.get_len() > sizeof(wifi_ring_buffer_status)) { + ALOGE("SetLogHandler: ring status unexpected len = %d, dest len = %lu", + it.get_len(), sizeof(wifi_ring_buffer_status)); + return NL_SKIP; + } else { + memcpy(&status, it.get_data(), sizeof(wifi_ring_buffer_status)); + } } else if (it.get_type() == LOGGER_ATTRIBUTE_RING_DATA) { buffer_size = it.get_len(); buffer = (char *)it.get_data(); + ALOGV("SetLogHandler: ring data size = %d", buffer_size); } else { ALOGW("Ignoring invalid attribute type = %d, size = %d", it.get_type(), it.get_len()); |