diff options
author | Subhani Shaik <subhanis@codeaurora.org> | 2017-04-26 10:09:46 -0700 |
---|---|---|
committer | Ningyuan Wang <nywang@google.com> | 2017-05-19 17:02:44 +0000 |
commit | 77e7a47c124b8893b5f278195cda903a57fdc44b (patch) | |
tree | 1113e80261e279d073e9f4be23447951a51342c1 /qcwcn/wifi_hal/wifilogger_diag.cpp | |
parent | 35072f35547089ce98d1706fc06940654372b008 (diff) | |
download | wlan-77e7a47c124b8893b5f278195cda903a57fdc44b.tar.gz |
WifiHal: Fix crash with firmware logs decode
Bug: 37671537
Change-Id: Ic53a9259483fee99902f04f14ef9a2c263ec4ffa
Diffstat (limited to 'qcwcn/wifi_hal/wifilogger_diag.cpp')
-rw-r--r-- | qcwcn/wifi_hal/wifilogger_diag.cpp | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp index 5e9227b..d131102 100644 --- a/qcwcn/wifi_hal/wifilogger_diag.cpp +++ b/qcwcn/wifi_hal/wifilogger_diag.cpp @@ -2251,6 +2251,7 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) } } else if (cmd == ANI_NL_MSG_CNSS_DIAG) { uint16_t diag_fw_type; + struct nlmsghdr *nlh = nlmsg_hdr(msg); if (!info->cldctx) { buf = (uint8_t *)NLMSG_DATA(wnl) + sizeof(wnl->clh.radio); @@ -2268,6 +2269,12 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) wnl->nlh.nlmsg_len); return WIFI_ERROR_UNKNOWN; } + } else { + if (nlh->nlmsg_len <= NLMSG_HDRLEN + sizeof(dbglog_slot)) { + ALOGE("Received CNSS_DIAG message with insufficent length: %d: %s:%d", + nlh->nlmsg_len, __FUNCTION__, __LINE__); + return WIFI_ERROR_UNKNOWN; + } } diag_fw_type = event_hdr->diag_type; if (diag_fw_type == DIAG_TYPE_FW_MSG) { @@ -2275,6 +2282,16 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) u16 length = 0; slot = (dbglog_slot *)buf; + if (nlh->nlmsg_len < (NLMSG_HDRLEN + sizeof(dbglog_slot) + + slot->length)) { + ALOGE("Received CNSS_DIAG message with insufficent length: %d:" + " expected: %zu, %s:%d", + nlh->nlmsg_len, + (NLMSG_HDRLEN + sizeof(dbglog_slot) +slot->length), + __FUNCTION__, + __LINE__); + return WIFI_ERROR_UNKNOWN; + } length = get_le32((u8 *)&slot->length); process_fw_diag_msg(info, &slot->payload[0], length); } |