diff options
author | Amarnath Hullur Subramanyam <amarnath@codeaurora.org> | 2016-01-29 17:40:53 +0530 |
---|---|---|
committer | Vineeta Srivastava <vsrivastava@google.com> | 2016-03-08 11:21:12 -0800 |
commit | 76bf03b613d7c1aa14ba63b1670f0c9d11c367fc (patch) | |
tree | 39aa9a97b5b132cf84770ee37a05d747929dbfb9 /qcwcn | |
parent | b394a1e85e76f673f79532982b17badd8bcf05fd (diff) | |
download | wlan-76bf03b613d7c1aa14ba63b1670f0c9d11c367fc.tar.gz |
Wifi-HAL: Add length check before proceeding to parse data.
To avoid illegal memory access, if received message is shortened,
add a length check before proceeding to parse data.
Change-Id: Idf6e24af086abd4521eb4f95b0967b582001a951
CRs-Fixed: 970669
Diffstat (limited to 'qcwcn')
-rw-r--r-- | qcwcn/wifi_hal/wifilogger_diag.cpp | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp index 7de1867..9ecbf45 100644 --- a/qcwcn/wifi_hal/wifilogger_diag.cpp +++ b/qcwcn/wifi_hal/wifilogger_diag.cpp @@ -2050,6 +2050,11 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) /* Check nlmsg_type also to avoid processing unintended msgs */ if (wnl->nlh.nlmsg_type == ANI_NL_MSG_PUMAC) { + if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) || + (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) { + ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len); + return WIFI_ERROR_UNKNOWN; + } if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_EVENT_LOG_TYPE) { uint32_t diag_host_type; @@ -2117,6 +2122,11 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) } } } else if (wnl->nlh.nlmsg_type == ANI_NL_MSG_LOG) { + if ((wnl->nlh.nlmsg_len <= sizeof(tAniNlHdr)) || + (wnl->nlh.nlmsg_len < (sizeof(tAniNlHdr) + wnl->wmsg.length))) { + ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len); + return WIFI_ERROR_UNKNOWN; + } if (wnl->wmsg.type == ANI_NL_MSG_LOG_HOST_PRINT_TYPE) { process_driver_prints(info, (u8 *)(wnl + 1), wnl->wmsg.length); } else if (wnl->wmsg.type == ANI_NL_MSG_LOG_FW_MSG_TYPE) { @@ -2129,6 +2139,12 @@ wifi_error diag_message_handler(hal_info *info, nl_msg *msg) fw_event_hdr_t *event_hdr = (fw_event_hdr_t *)(buf); + if ((wnl->nlh.nlmsg_len <= NLMSG_HDRLEN + sizeof(fw_event_hdr_t)) || + (wnl->nlh.nlmsg_len < (NLMSG_HDRLEN + sizeof(fw_event_hdr_t) + + event_hdr->length))) { + ALOGE("Received message with insufficent length: %d", wnl->nlh.nlmsg_len); + return WIFI_ERROR_UNKNOWN; + } diag_fw_type = event_hdr->diag_type; if (diag_fw_type == DIAG_TYPE_FW_MSG) { dbglog_slot *slot; |