qcacld-3.0: Add bound check for fixed_param->total_num_tx_power_levels

Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.

rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.

If multiple invocations of this handler occur then a buffer
overflow  can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.

Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
Bug: 125677806
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c
index c201226a70..85abb6ca8f 100644
--- a/core/wma/src/wma_utils.c
+++ b/core/wma/src/wma_utils.c
@@ -1544,6 +1544,14 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle,
 							 fixed_param->radio_id;
 	tx_power_level_values = (uint8_t *) param_tlvs->tx_time_per_power_level;
 
+	if (fixed_param->total_num_tx_power_levels >
+		rs_results->total_num_tx_power_levels) {
+		WMA_LOGE("%s: excess tx_power buffers:%d, total_num_tx_power_levels:%d",
+			 __func__, fixed_param->total_num_tx_power_levels,
+			 rs_results->total_num_tx_power_levels);
+		return -EINVAL;
+	}
+
 	rs_results->total_num_tx_power_levels =
 				fixed_param->total_num_tx_power_levels;
 	if (!rs_results->total_num_tx_power_levels) {