WifiHal: Invalid header length check for fw-diag msg

Due to invalid length in firmware message, the ring buffer overflows. Added check for length w.r.t msg headers and returned error in case of invalid length. Bug: 231524566 Test: Regression Test CRs-Fixed: 2975064 Change-Id: I830a111fe2e58e1aa4039f2d9d996ba28632a9e5
author: Hsiu-Chang Chen <hsiuchangchen@google.com> 2021-07-15 22:23:29 +0530
committer: Hsiu-Chang Chen <hsiuchangchen@google.com> 2022-06-29 12:25:02 +0800
commit: 79861d3fe23093fe704c1d341642b434fb323aa6 (patch)
tree: 3420f4cd3470a02a567053d4b94b1520868cd195 /qcwcn/wifi_hal/wifilogger_diag.cpp
parent: 01a62ff8f25dcff90dd68c2940785119754ee92a (diff)
download: wlan-79861d3fe23093fe704c1d341642b434fb323aa6.tar.gz
1 files changed, 26 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp
index 4bdfae8..09ac928 100644
--- a/qcwcn/wifi_hal/wifilogger_diag.cpp
+++ b/qcwcn/wifi_hal/wifilogger_diag.cpp
@@ -899,6 +899,20 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length)
     while ((info && !info->clean_up)
           && (length > (count + sizeof(fw_diag_msg_fixed_hdr_t)))) {
         diag_msg_fixed_hdr = (fw_diag_msg_fixed_hdr_t *)(buf + count);
+
+        if (diag_msg_fixed_hdr->diag_event_type > WLAN_DIAG_TYPE_LEGACY_MSG) {
+            hdr_size = sizeof(fw_diag_msg_hdr_v2_t);
+        } else {
+            hdr_size = sizeof(fw_diag_msg_hdr_t);
+        }
+
+        if ((count + hdr_size) > length)
+        {
+            ALOGE("process_fw_diag_msg (%d) - possible buffer over access, length=%d count=%d hdr_size=%d",
+                  diag_msg_fixed_hdr->diag_event_type, length, count, hdr_size);
+            return WIFI_ERROR_UNKNOWN;
+        }
+
         switch (diag_msg_fixed_hdr->diag_event_type) {
             case WLAN_DIAG_TYPE_EVENT:
             case WLAN_DIAG_TYPE_EVENT_V2:
@@ -918,6 +932,12 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length)
                     hdr_size = sizeof(fw_diag_msg_hdr_v2_t);
                     payload = diag_msg_hdr_v2->payload;
                 }
+                if ((count + hdr_size + payloadlen) > length) {
+                    ALOGE("WLAN_DIAG_TYPE_EVENT - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d",
+                           length, count, hdr_size, payloadlen);
+                    return WIFI_ERROR_UNKNOWN;
+                }
+
                 switch (id) {
                     case EVENT_WLAN_BT_COEX_BT_SCO_START:
                     case EVENT_WLAN_BT_COEX_BT_SCO_STOP:
@@ -1015,6 +1035,12 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length)
                     hdr_size = sizeof(fw_diag_msg_hdr_v2_t);
                     payload = diag_msg_hdr_v2->payload;
                 }
+                if ((count + hdr_size + payloadlen) > length) {
+                    ALOGE("WLAN_DIAG_TYPE_LOG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d",
+                           length, count, hdr_size, payloadlen);
+                    return WIFI_ERROR_UNKNOWN;
+                }
+
                 switch (id) {
                 case LOG_WLAN_EXTSCAN_CAPABILITIES:
                     status = process_log_extscan_capabilities(info,
author	Hsiu-Chang Chen <hsiuchangchen@google.com>	2021-07-15 22:23:29 +0530
committer	Hsiu-Chang Chen <hsiuchangchen@google.com>	2022-06-29 12:25:02 +0800
commit	79861d3fe23093fe704c1d341642b434fb323aa6 (patch)
tree	3420f4cd3470a02a567053d4b94b1520868cd195 /qcwcn/wifi_hal/wifilogger_diag.cpp
parent	01a62ff8f25dcff90dd68c2940785119754ee92a (diff)
download	wlan-79861d3fe23093fe704c1d341642b434fb323aa6.tar.gz