diff options
| author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2021-11-11 13:05:48 +0530 |
|---|---|---|
| committer | Isaac Chiou <isaacchiou@google.com> | 2022-03-08 02:43:14 +0000 |
| commit | 4a28131dc5fe5f46dc63f7111d4e6ec702c017ee (patch) | |
| tree | 0e66d66b4ecca69a6c1fd1cf95b3ad1fcb2ede89 | |
| parent | b878b8ba1561905a1500b795c7616638b006cf6b (diff) | |
| download | qcacld-4a28131dc5fe5f46dc63f7111d4e6ec702c017ee.tar.gz | |
qcacld-3.0: Validate NDP app info length before accessing NDP app info
Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info
Bug: 218339149
Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 3073345
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
| -rw-r--r-- | core/hdd/src/wlan_hdd_nan_datapath.h | 2 | ||||
| -rw-r--r-- | core/wma/inc/wma.h | 3 | ||||
| -rw-r--r-- | core/wma/src/wma_nan_datapath.c | 6 |
3 files changed, 9 insertions, 2 deletions
diff --git a/core/hdd/src/wlan_hdd_nan_datapath.h b/core/hdd/src/wlan_hdd_nan_datapath.h index 280b6a9b3b..ea0e87cd24 100644 --- a/core/hdd/src/wlan_hdd_nan_datapath.h +++ b/core/hdd/src/wlan_hdd_nan_datapath.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -37,7 +38,6 @@ struct wireless_dev; #define NAN_SOCIAL_CHANNEL_5GHZ_LOWER_BAND 44 #define NAN_SOCIAL_CHANNEL_5GHZ_UPPER_BAND 149 -#define NDP_APP_INFO_LEN 255 #define NDP_PMK_LEN 32 #define NDP_SCID_BUF_LEN 256 #define NDP_NUM_INSTANCE_ID 255 diff --git a/core/wma/inc/wma.h b/core/wma/inc/wma.h index 47b6532af1..f392ce0d68 100644 --- a/core/wma/inc/wma.h +++ b/core/wma/inc/wma.h @@ -1,9 +1,9 @@ /* * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * - * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the * above copyright notice and this permission notice appear in all @@ -64,6 +64,7 @@ #define WMA_RESUME_TIMEOUT 6000 #define MAX_MEM_CHUNKS 32 #define NAN_CLUSTER_ID_BYTES 4 +#define NDP_APP_INFO_LEN 255 #define WMA_CRASH_INJECT_TIMEOUT 5000 diff --git a/core/wma/src/wma_nan_datapath.c b/core/wma/src/wma_nan_datapath.c index b5b41d2388..64619e06f5 100644 --- a/core/wma/src/wma_nan_datapath.c +++ b/core/wma/src/wma_nan_datapath.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -713,6 +714,11 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info, WMA_LOGE(FL("malloc failed")); return QDF_STATUS_E_NOMEM; } + + if (ndp_confirm.ndp_info.ndp_app_info_len > NDP_APP_INFO_LEN) + ndp_confirm.ndp_info.ndp_app_info_len = + NDP_APP_INFO_LEN; + qdf_mem_copy(&ndp_confirm.ndp_info.ndp_app_info, event->ndp_app_info, ndp_confirm.ndp_info.ndp_app_info_len); |