Wifi-HAL: Add length check before proceeding to parse data.

To avoid illegal memory access, if received message is shortened, add a length check before proceeding to parse data. Change-Id: Idf6e24af086abd4521eb4f95b0967b582001a951 CRs-Fixed: 970669
author: Amarnath Hullur Subramanyam <amarnath@codeaurora.org> 2016-01-29 17:40:53 +0530
committer: Vineeta Srivastava <vsrivastava@google.com> 2016-03-08 11:21:12 -0800
commit: 76bf03b613d7c1aa14ba63b1670f0c9d11c367fc (patch)
tree: 39aa9a97b5b132cf84770ee37a05d747929dbfb9 /qcwcn
parent: b394a1e85e76f673f79532982b17badd8bcf05fd (diff)
download: wlan-76bf03b613d7c1aa14ba63b1670f0c9d11c367fc.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp
index 7de1867..9ecbf45 100644
--- a/qcwcn/wifi_hal/wifilogger_diag.cpp
+++ b/qcwcn/wifi_hal/wifilogger_diag.cpp
@@ -2050,6 +2050,11 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
 
     /* Check nlmsg_type also to avoid processing unintended msgs */
     if (wnl->nlh.nlmsg_type == ANI_NL_MSG_PUMAC) {
+        if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) ||
+            (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) {
+            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            return WIFI_ERROR_UNKNOWN;
+        }
         if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_EVENT_LOG_TYPE) {
             uint32_t diag_host_type;
 
@@ -2117,6 +2122,11 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
             }
         }
     } else if (wnl->nlh.nlmsg_type == ANI_NL_MSG_LOG) {
+        if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) ||
+            (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) {
+            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            return WIFI_ERROR_UNKNOWN;
+        }
         if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_PRINT_TYPE) {
             process_driver_prints(info, (u8 *)(wnl + 1), wnl->wmsg.length);
         } else if (wnl->wmsg.type == ANI_NL_MSG_LOG_FW_MSG_TYPE) {
@@ -2129,6 +2139,12 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg)
 
         fw_event_hdr_t *event_hdr =
                           (fw_event_hdr_t *)(buf);
+        if ((wnl->nlh.nlmsg_len <= NLMSG_HDRLEN + sizeof(fw_event_hdr_t)) ||
+            (wnl->nlh.nlmsg_len < (NLMSG_HDRLEN + sizeof(fw_event_hdr_t) +
+                                    event_hdr->length))) {
+            ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len);
+            return WIFI_ERROR_UNKNOWN;
+        }
         diag_fw_type = event_hdr->diag_type;
         if (diag_fw_type == DIAG_TYPE_FW_MSG) {
             dbglog_slot *slot;
author	Amarnath Hullur Subramanyam <amarnath@codeaurora.org>	2016-01-29 17:40:53 +0530
committer	Vineeta Srivastava <vsrivastava@google.com>	2016-03-08 11:21:12 -0800
commit	76bf03b613d7c1aa14ba63b1670f0c9d11c367fc (patch)
tree	39aa9a97b5b132cf84770ee37a05d747929dbfb9 /qcwcn
parent	b394a1e85e76f673f79532982b17badd8bcf05fd (diff)
download	wlan-76bf03b613d7c1aa14ba63b1670f0c9d11c367fc.tar.gz