From ed800a513e171fc5ee1bc90dbd5b5d56e19b0c2b Mon Sep 17 00:00:00 2001
From: Ajay <ajay.davanageri@broadcom.com>
Date: Mon, 30 Aug 2021 15:00:45 +0530
Subject: Additional logs and checks to prevent OOB in ring status path.

Bug: 197330639
Test: Verified build on hikey960 platform.

Change-Id: I0e8c4f3cdf339dc5e4e7e43650bb22daadbcae5f
Merged-In: I0e8c4f3cdf339dc5e4e7e43650bb22daadbcae5f

(cherry picked from commit 6389e22db1738bbbfe7ce25753252d18d637e52b)

Change-Id: I13e21ff9a50cfb1fa5b9c725d641d8840b1e0013
---
 bcmdhd/wifi_hal/wifi_logger.cpp | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/bcmdhd/wifi_hal/wifi_logger.cpp b/bcmdhd/wifi_hal/wifi_logger.cpp
index a9f9506..440d9ba 100755
--- a/bcmdhd/wifi_hal/wifi_logger.cpp
+++ b/bcmdhd/wifi_hal/wifi_logger.cpp
@@ -419,7 +419,7 @@ public:
     }
 
     int start() {
-        // ALOGD("Start debug command");
+        ALOGD("Start debug command");
         WifiRequest request(familyId(), ifaceId());
         int result = createRequest(request);
         if (result != WIFI_SUCCESS) {
@@ -435,7 +435,7 @@ public:
     }
 
     virtual int handleResponse(WifiEvent& reply) {
-        ALOGD("In DebugCommand::handleResponse");
+        ALOGD("In DebugCommand::handleResponse, mType:%d\n", mType);
 
         if (reply.get_cmd() != NL80211_CMD_VENDOR) {
             ALOGD("Ignoring reply with cmd = %d", reply.get_cmd());
@@ -490,9 +490,15 @@ public:
                 it.next();
                 for (unsigned int i = 0; it.has_next() && i < *mNumRings; it.next()) {
                     if (it.get_type() == LOGGER_ATTRIBUTE_RING_STATUS) {
-                        memcpy(status, it.get_data(), sizeof(wifi_ring_buffer_status));
-                        i++;
-                        status++;
+                        if (it.get_len() > sizeof(wifi_ring_buffer_status)) {
+                            ALOGE("ring status unexpected len = %d, dest len = %lu",
+                                it.get_len(), sizeof(wifi_ring_buffer_status));
+                            return NL_SKIP;
+                        } else {
+                            memcpy(status, it.get_data(), sizeof(wifi_ring_buffer_status));
+                            i++;
+                            status++;
+                        }
                     } else {
                         ALOGW("Ignoring invalid attribute type = %d, size = %d",
                                 it.get_type(), it.get_len());
@@ -699,16 +705,23 @@ public:
             return NL_SKIP;
         }
 
-        if(event_id == GOOGLE_DEBUG_RING_EVENT) {
+        if (event_id == GOOGLE_DEBUG_RING_EVENT) {
             wifi_ring_buffer_status status;
             memset(&status, 0, sizeof(status));
 
             for (nl_iterator it(vendor_data); it.has_next(); it.next()) {
                 if (it.get_type() == LOGGER_ATTRIBUTE_RING_STATUS) {
-                    memcpy(&status, it.get_data(), sizeof(status));
+                    if (it.get_len() > sizeof(wifi_ring_buffer_status)) {
+                        ALOGE("SetLogHandler: ring status unexpected len = %d, dest len = %lu",
+                           it.get_len(), sizeof(wifi_ring_buffer_status));
+                        return NL_SKIP;
+                    } else {
+                        memcpy(&status, it.get_data(), sizeof(wifi_ring_buffer_status));
+                    }
                 } else if (it.get_type() == LOGGER_ATTRIBUTE_RING_DATA) {
                     buffer_size = it.get_len();
                     buffer = (char *)it.get_data();
+                    ALOGV("SetLogHandler: ring data size = %d", buffer_size);
                 } else {
                     ALOGW("Ignoring invalid attribute type = %d, size = %d",
                             it.get_type(), it.get_len());
-- 
cgit v1.2.3