diff options
| author | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2019-07-26 12:29:14 +0530 |
|---|---|---|
| committer | Roger Wang <wangroger@google.com> | 2019-09-05 01:57:09 +0000 |
| commit | a6ca4ace0d93fa76450b4e03e40b27127cda6ba6 (patch) | |
| tree | 565334e1a56f8395ebcdf38dea682483867d17cc | |
| parent | ddcd83464ef35d8ad546eecb3166b009db1a5fdc (diff) | |
| download | qcacld-a6ca4ace0d93fa76450b4e03e40b27127cda6ba6.tar.gz | |
qcacld-3.0: Possible integer overflow in hdd apf read memory cb
In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.
To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.
Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-Fixed: 2436502
Bug: 139886621
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | core/hdd/src/wlan_hdd_apf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/core/hdd/src/wlan_hdd_apf.c b/core/hdd/src/wlan_hdd_apf.c index ad1a0b8904..76b8add91f 100644 --- a/core/hdd/src/wlan_hdd_apf.c +++ b/core/hdd/src/wlan_hdd_apf.c @@ -477,7 +477,8 @@ hdd_apf_read_memory_callback(void *hdd_context, */ pkt_offset = read_mem_evt->offset - context->offset; - if (context->buf_len < pkt_offset + read_mem_evt->length) { + if ((pkt_offset > context->buf_len) || + (context->buf_len - pkt_offset < read_mem_evt->length)) { qdf_spin_unlock(&context->lock); hdd_err("Read chunk exceeding allocated space"); return; |