diff options
| author | abhinav kumar <abhikuma@codeaurora.org> | 2021-06-04 19:45:08 +0530 |
|---|---|---|
| committer | chenpaul <chenpaul@google.com> | 2021-10-25 17:04:13 +0800 |
| commit | f1aead25d8d8b78afac6726690c283ef18c5d49b (patch) | |
| tree | 1de2a712b911c4b7b0a761da4f9cbe744537f7ca | |
| parent | e5db8838cc51cb76a839eeeb2ec070d2d9da930d (diff) | |
| download | qcacld-f1aead25d8d8b78afac6726690c283ef18c5d49b.tar.gz | |
qcacld-3.0: Possible buffer overflow issue in wma
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
Bug: 202025735
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | core/wma/src/wma_mgmt.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index 19d583901d..b08ec50bba 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -2655,8 +2655,22 @@ static QDF_STATUS wma_unified_bcn_tmpl_send(tp_wma_handle wma, tmpl_len = *(uint32_t *) &bcn_info->beacon[0]; else tmpl_len = bcn_info->beaconLength; - if (p2p_ie_len) + + if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) { + wma_err("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len, + WMI_BEACON_TX_BUFFER_SIZE); + return -EINVAL; + } + + if (p2p_ie_len) { + if (tmpl_len <= p2p_ie_len) { + wma_err("tmpl_len %d <= p2p_ie_len %d, Invalid", + tmpl_len, p2p_ie_len); + return -EINVAL; + } tmpl_len -= (uint32_t) p2p_ie_len; + } + frm = bcn_info->beacon + bytes_to_strip; tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32)); /* |