diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2021-07-15 22:23:29 +0530 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-06-29 12:25:02 +0800 |
commit | 79861d3fe23093fe704c1d341642b434fb323aa6 (patch) | |
tree | 3420f4cd3470a02a567053d4b94b1520868cd195 /qcwcn/wifi_hal/wifilogger_diag.cpp | |
parent | 01a62ff8f25dcff90dd68c2940785119754ee92a (diff) | |
download | wlan-79861d3fe23093fe704c1d341642b434fb323aa6.tar.gz |
WifiHal: Invalid header length check for fw-diag msg
Due to invalid length in firmware message, the
ring buffer overflows.
Added check for length w.r.t msg headers and
returned error in case of invalid length.
Bug: 231524566
Test: Regression Test
CRs-Fixed: 2975064
Change-Id: I830a111fe2e58e1aa4039f2d9d996ba28632a9e5
Diffstat (limited to 'qcwcn/wifi_hal/wifilogger_diag.cpp')
-rw-r--r-- | qcwcn/wifi_hal/wifilogger_diag.cpp | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp index 4bdfae8..09ac928 100644 --- a/qcwcn/wifi_hal/wifilogger_diag.cpp +++ b/qcwcn/wifi_hal/wifilogger_diag.cpp @@ -899,6 +899,20 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) while ((info && !info->clean_up) && (length > (count + sizeof(fw_diag_msg_fixed_hdr_t)))) { diag_msg_fixed_hdr = (fw_diag_msg_fixed_hdr_t *)(buf + count); + + if (diag_msg_fixed_hdr->diag_event_type > WLAN_DIAG_TYPE_LEGACY_MSG) { + hdr_size = sizeof(fw_diag_msg_hdr_v2_t); + } else { + hdr_size = sizeof(fw_diag_msg_hdr_t); + } + + if ((count + hdr_size) > length) + { + ALOGE("process_fw_diag_msg (%d) - possible buffer over access, length=%d count=%d hdr_size=%d", + diag_msg_fixed_hdr->diag_event_type, length, count, hdr_size); + return WIFI_ERROR_UNKNOWN; + } + switch (diag_msg_fixed_hdr->diag_event_type) { case WLAN_DIAG_TYPE_EVENT: case WLAN_DIAG_TYPE_EVENT_V2: @@ -918,6 +932,12 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) hdr_size = sizeof(fw_diag_msg_hdr_v2_t); payload = diag_msg_hdr_v2->payload; } + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_EVENT - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } + switch (id) { case EVENT_WLAN_BT_COEX_BT_SCO_START: case EVENT_WLAN_BT_COEX_BT_SCO_STOP: @@ -1015,6 +1035,12 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) hdr_size = sizeof(fw_diag_msg_hdr_v2_t); payload = diag_msg_hdr_v2->payload; } + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_LOG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } + switch (id) { case LOG_WLAN_EXTSCAN_CAPABILITIES: status = process_log_extscan_capabilities(info, |