diff options
author | Keyur Parekh <kparekh@codeaurora.org> | 2017-12-08 16:15:12 -0800 |
---|---|---|
committer | snandini <snandini@codeaurora.org> | 2017-12-27 11:01:16 -0800 |
commit | 45393697a8f8317d30505ecea8abd00cfb71dbf9 (patch) | |
tree | 3f93ba52bf85a176f55d05b3685e2ef5c2b6ab9c /hif | |
parent | 8b8f00f622dc39e1663d38707e0d9e93044cffce (diff) | |
download | qca-wfi-host-cmn-45393697a8f8317d30505ecea8abd00cfb71dbf9.tar.gz |
qcacmn: Fix potential buffer overflow
Fragment count will be larger than the upper limit of
cvg_nbuf_cb->extra_flag.num which would lead to an overread
of fragment length. Upper limit check for fragment count
is added in this change
Change-Id: Ib4ba4047f5eea89c09a92f89cf72e1976e0c9f3c
Diffstat (limited to 'hif')
-rw-r--r-- | hif/src/usb/hif_usb.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/hif/src/usb/hif_usb.c b/hif/src/usb/hif_usb.c index 2557118cd..41bf6e560 100644 --- a/hif/src/usb/hif_usb.c +++ b/hif/src/usb/hif_usb.c @@ -132,14 +132,21 @@ static QDF_STATUS hif_send_internal(HIF_DEVICE_USB *hif_usb_device, int usb_status; int i; struct hif_usb_send_context *send_context; - int frag_count = 0, head_data_len, tmp_frag_count = 0; + uint8_t frag_count; + int head_data_len, tmp_frag_count = 0; unsigned char *data_ptr; HIF_DBG("+%s pipe : %d, buf:0x%pK nbytes %u", __func__, pipe_id, buf, nbytes); frag_count = qdf_nbuf_get_num_frags(buf); - if (frag_count > 1) { /* means have extra fragment buf in skb */ + if (frag_count > 1) { + /* + * | hif_usb_send_context | netbuf->data + */ + head_data_len = sizeof(struct hif_usb_send_context); + } else if ((frag_count - 1) < CVG_NBUF_MAX_EXTRA_FRAGS) { + /* means have extra fragment buf in skb */ /* header data length should be total sending length substract * internal data length of netbuf * | hif_usb_send_context | fragments except internal buffer | @@ -153,10 +160,11 @@ static QDF_STATUS hif_send_internal(HIF_DEVICE_USB *hif_usb_device, tmp_frag_count = tmp_frag_count + 1; } } else { - /* - * | hif_usb_send_context | netbuf->data - */ - head_data_len = sizeof(struct hif_usb_send_context); + /* Extra fragments overflow */ + HIF_ERROR("%s Extra fragments count overflow : %d\n", + __func__, frag_count); + status = QDF_STATUS_E_FAILURE; + goto err; } /* Check whether head room is enough to save extra head data */ |