Heap-buffer-overflow in send_nl_data() of wifi hal am: 0a1b211537

Change-Id: Iddb8478deffb744e5d0d586ab5174927a3a667c3
author: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2020-03-10 01:29:30 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2020-03-10 01:29:30 +0000
commit: dd17eb61cd3eace4077ceac8fa33f4481177852d (patch)
tree: 66fb8ef97da9cdda76579244539aee2ea3b8d4d3 /qcwcn/wifi_hal
parent: 9ea329ed1255af74f16722074023b04cfb9b938e (diff)
parent: 0a1b211537405d3a1d64ae9a1d6feee58262a41f (diff)
download: wlan-dd17eb61cd3eace4077ceac8fa33f4481177852d.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index cb82885..cb770ee 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1112,6 +1112,12 @@ static int send_nl_data(wifi_handle handle, wifihal_ctrl_req_t *ctrl_msg)
        goto nl_out;
     }
 
+    if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+    {
+        ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+        retval = -1;
+        goto nl_out;
+    }
     memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
 
    if(ctrl_msg->family_name == GENERIC_NL_FAMILY)
author	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2020-03-10 01:29:30 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2020-03-10 01:29:30 +0000
commit	dd17eb61cd3eace4077ceac8fa33f4481177852d (patch)
tree	66fb8ef97da9cdda76579244539aee2ea3b8d4d3 /qcwcn/wifi_hal
parent	9ea329ed1255af74f16722074023b04cfb9b938e (diff)
parent	0a1b211537405d3a1d64ae9a1d6feee58262a41f (diff)
download	wlan-dd17eb61cd3eace4077ceac8fa33f4481177852d.tar.gz