diff options
author | abhinav kumar <abhikuma@codeaurora.org> | 2021-08-11 19:28:49 +0530 |
---|---|---|
committer | Isaac Chiou <isaacchiou@google.com> | 2021-11-16 07:59:23 +0000 |
commit | e960b71e34c068cc0dd3e7f00a1203aa879a2362 (patch) | |
tree | f4f43098a9a376c5cf26329ba1673f46e3693a63 | |
parent | cef27c1905c58aa9ff41651ee326545a326e1a56 (diff) | |
download | qcacld-android-msm-bonito-4.9-s-v2-beta-3.tar.gz |
qcacmn: Possible OOB read in process_fw_diag_event_dataandroid-s-v2-beta-3_r0.1android-12.1.0_r0.11android-12.1.0_r0.1android-msm-bonito-4.9-s-v2-beta-3
API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.
If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.
Fix is to add a sanity check for num_data to avoid the OOB
read.
Bug: 204909067
Test: Regression test
CRs-Fixed: 3001178
Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
-rw-r--r-- | core/utils/fwlog/dbglog_host.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/utils/fwlog/dbglog_host.c b/core/utils/fwlog/dbglog_host.c index 2557ecd7a3..279d9e0608 100644 --- a/core/utils/fwlog/dbglog_host.c +++ b/core/utils/fwlog/dbglog_host.c @@ -1691,7 +1691,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data) uint32_t diag_data_len; /* each fw diag payload */ struct wlan_diag_data *diag_data; - while (num_data > 0) { + while (num_data >= sizeof(struct wlan_diag_data)) { diag_data = (struct wlan_diag_data *)datap; diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0); diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0); |