llstats: Add negative length check befor memcpy

In Peer type message, the length of memcpy depends on
multiple data which can cause overflow due to corruption.
Added check for the length variable to properly perform
memcpy without overflow.

Bug: 183447882
Change-Id: I0e641a09af920e5d3db6fb3f2f526533907f74f9
CRs-Fixed: 2907367

1 files changed, 13 insertions, 4 deletions

diff --git a/qcwcn/wifi_hal/llstats.cpp b/qcwcn/wifi_hal/llstats.cpp
index 407a6c3..50b8149 100644
--- a/qcwcn/wifi_hal/llstats.cpp
+++ b/qcwcn/wifi_hal/llstats.cpp
@@ -1151,10 +1151,19 @@ int LLStatsCommand::handleResponse(WifiEvent &reply)
 
                         memset(pIfaceStat, 0, resultsBufSize);
                         if(mResultsParams.iface_stat) {
-                            memcpy ( pIfaceStat, mResultsParams.iface_stat,
-                                sizeof(wifi_iface_stat));
-                            free (mResultsParams.iface_stat);
-                            mResultsParams.iface_stat = pIfaceStat;
+                            if(resultsBufSize >= sizeof(wifi_iface_stat)) {
+                                memcpy ( pIfaceStat, mResultsParams.iface_stat,
+                                    sizeof(wifi_iface_stat));
+                                free (mResultsParams.iface_stat);
+                                mResultsParams.iface_stat = pIfaceStat;
+                            } else {
+                                ALOGE("%s: numPeers = %u, num_rates= %u, "
+                                      "either numPeers or num_rates is invalid",
+                                      __FUNCTION__,numPeers,num_rates);
+                                status = WIFI_ERROR_UNKNOWN;
+                                free(pIfaceStat);
+                                goto cleanup;
+                            }
                         }
                         wifi_peer_info *pPeerStats;
                         pIfaceStat->num_peers = numPeers;