diff options
author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2020-01-20 14:31:32 +0530 |
---|---|---|
committer | Sunil Ravi <sunilravi@google.com> | 2020-03-05 16:35:03 -0800 |
commit | 0a1b211537405d3a1d64ae9a1d6feee58262a41f (patch) | |
tree | fd3552c5b3e8a559497c1bc59ca3a4cebe7678a8 /qcwcn | |
parent | f2edcbeb9bc05eab416bd985744c98c14c020799 (diff) | |
download | wlan-0a1b211537405d3a1d64ae9a1d6feee58262a41f.tar.gz |
Heap-buffer-overflow in send_nl_data() of wifi hal
In send_nl_data() function, the size of ctrl_msg can
be greater than size of nl_msg structure. This can
cause buffer overload due to out-of bound write in
nl_msg->nm_nlh. Added a check for length of ctrl_msg
to avoid the out-of-bound write.
Bug: 149836664
Test: Manual - Basic wifi sanity test
CRs-Fixed: 2605058
Change-Id: I73032dac6ce2f2e9ee7ede18b45b11a2b3f92053
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Diffstat (limited to 'qcwcn')
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index cb82885..cb770ee 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1112,6 +1112,12 @@ static int send_nl_data(wifi_handle handle, wifihal_ctrl_req_t *ctrl_msg) goto nl_out; } + if (ctrl_msg->data_len > nlmsg_get_max_size(msg)) + { + ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__); + retval = -1; + goto nl_out; + } memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len); if(ctrl_msg->family_name == GENERIC_NL_FAMILY) |