wifi-hal: Add check for num_rx_discovery_attr

Check the value of num_rx_discovery_attr before accessing in NanMatch event to avoid out-of-bound write. Bug: 184564368 CRs-Fixed: 2836431 Change-Id: I1a870c5f89394e2f66b1bbc16ea651ef5259772d
author: Amarnath Hullur Subramanyam <amarnath@codeaurora.org> 2020-12-13 12:24:46 -0800
committer: kensun <kensun@google.com> 2021-04-29 08:49:03 +0000
commit: e49f3db2b2ccffd88c9107277b73a9b60e44ab03 (patch)
tree: f37b88dd3d963f3187ea3c2132da5e0062301425 /qcwcn
parent: 4109454d0ec98c944bc0dfe01ec9cdc379fe6fee (diff)
download: wlan-e49f3db2b2ccffd88c9107277b73a9b60e44ab03.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/nan_ind.cpp b/qcwcn/wifi_hal/nan_ind.cpp
index f661ed3..1fe651d 100644
--- a/qcwcn/wifi_hal/nan_ind.cpp
+++ b/qcwcn/wifi_hal/nan_ind.cpp
@@ -346,6 +346,11 @@ int NanCommand::getNanMatch(NanMatchInd *event)
             /* Populate receive discovery attribute from
                received TLV */
             idx = event->num_rx_discovery_attr;
+            if (idx < 0 || idx >= NAN_MAX_POSTDISCOVERY_LEN) {
+                ALOGE("NAN_TLV_TYPE_POST_NAN_DISCOVERY_ATTRIBUTE_RECEIVE"
+                      " Incorrect index:%d >= %d", idx, NAN_MAX_POSTDISCOVERY_LEN);
+                break;
+            }
             ret = getNanReceivePostDiscoveryVal(outputTlv.value,
                                                 outputTlv.length,
                                                 &event->discovery_attr[idx]);
author	Amarnath Hullur Subramanyam <amarnath@codeaurora.org>	2020-12-13 12:24:46 -0800
committer	kensun <kensun@google.com>	2021-04-29 08:49:03 +0000
commit	e49f3db2b2ccffd88c9107277b73a9b60e44ab03 (patch)
tree	f37b88dd3d963f3187ea3c2132da5e0062301425 /qcwcn
parent	4109454d0ec98c944bc0dfe01ec9cdc379fe6fee (diff)
download	wlan-e49f3db2b2ccffd88c9107277b73a9b60e44ab03.tar.gz