diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-12-20 11:30:47 -0800 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-04-29 14:45:28 +0000 |
commit | 0db3417088da75711d9be83374aaff39c10ea1e0 (patch) | |
tree | 1a86b1923aff059c84c2a07d72b0b707f3ffabae | |
parent | 214ce889db887cccb1a356a155bd8defb46eb131 (diff) | |
download | cnss2-0db3417088da75711d9be83374aaff39c10ea1e0.tar.gz |
cnss2: Add data length validation in cnss_wlfw_qdss_data_send_sync()android-13.0.0_r0.127android-13.0.0_r0.126android-13.0.0_r0.125android-13.0.0_r0.124android-13.0.0_r0.123android-13.0.0_r0.121android-13.0.0_r0.117android-13.0.0_r0.116android-13.0.0_r0.115android-13.0.0_r0.114android-13.0.0_r0.113android-13.0.0_r0.112android-13.0.0_r0.107android-13.0.0_r0.106android-13.0.0_r0.105android-13.0.0_r0.104android-13.0.0_r0.103android-13.0.0_r0.100android-gs-tangorpro-5.10-android13-qpr3android-gs-raviole-5.10-android13-qpr3android-gs-pantah-5.10-android13-qpr3android-gs-lynx-5.10-android13-qpr3android-gs-felix-5.10-android13-qpr3-candroid-gs-felix-5.10-android13-qpr3android-gs-bluejay-5.10-android13-qpr3
Add a data length validation check in fw response message in
qdss_data_send_sync().
Bug: 276751076
Test: Regression Test
Change-Id: I197b8d52c06e35f5fcf0f8fee94429fdcf500fcb
CRs-Fixed: 3359589
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit efb7cbd8ff60dc9d1b98d9bd33c87594408ae7bb)
-rw-r--r-- | cnss2/qmi.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/cnss2/qmi.c b/cnss2/qmi.c index 1b9f388..dba4215 100644 --- a/cnss2/qmi.c +++ b/cnss2/qmi.c @@ -1143,7 +1143,8 @@ int cnss_wlfw_qdss_data_send_sync(struct cnss_plat_data *plat_priv, char *file_n resp->total_size == total_size) && (resp->seg_id_valid == 1 && resp->seg_id == req->seg_id) && (resp->data_valid == 1 && - resp->data_len <= QMI_WLFW_MAX_DATA_SIZE_V01)) { + resp->data_len <= QMI_WLFW_MAX_DATA_SIZE_V01) && + resp->data_len <= remaining) { memcpy(p_qdss_trace_data_temp, resp->data, resp->data_len); } else { |