net: wireless: bcmdhd: adding boundary check for pfn events

adding boundary check for bssid count in dhd_pno_process_epno_result
and dhd_handle_hotlist_scan_evt function to prevent heap overflow.

Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37722328
Bug: 37722970
Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1

1 files changed, 9 insertions, 1 deletions

diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index 7b686aafb7fc..4ce02099d283 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -92,6 +92,12 @@
 #define TIME_MIN_DIFF 5
 static wlc_ssid_ext_t * dhd_pno_get_legacy_pno_ssid(dhd_pub_t *dhd,
  dhd_pno_status_info_t *pno_state);
+
+#define EVENT_DATABUF_MAXLEN	(512 - sizeof(bcm_event_t))
+#define EVENT_MAX_NETCNT \
+	((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
+	/ sizeof(wl_pfn_net_info_t) + 1)
+
 #ifdef GSCAN_SUPPORT
 static wl_pfn_gscan_channel_bucket_t *
 dhd_pno_gscan_create_channel_list(dhd_pub_t *dhd, dhd_pno_status_info_t *pno_state,
@@ -3344,7 +3350,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
 
 	gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
 
-	if (!results->count) {
+	if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
+		DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
+				results->count));
 		*send_evt_bytes = 0;
 		return ptr;
 	}