diff options
Diffstat (limited to 'qcwcn/wifi_hal/wifilogger_diag.cpp')
| -rw-r--r-- | qcwcn/wifi_hal/wifilogger_diag.cpp | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp index d67ba06..4bdfae8 100644 --- a/qcwcn/wifi_hal/wifilogger_diag.cpp +++ b/qcwcn/wifi_hal/wifilogger_diag.cpp @@ -1037,6 +1037,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) payloadlen = diag_msg_hdr->u.msg_hdr.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_t); payload = diag_msg_hdr->payload; + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_MSG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_fixed_hdr, payloadlen + hdr_size); break; @@ -1047,6 +1052,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) payloadlen = diag_msg_hdr_v2->u.msg_hdr.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_v2_t); payload = diag_msg_hdr_v2->payload; + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_MSG_V2 - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_fixed_hdr, payloadlen + hdr_size); break; @@ -1058,6 +1068,11 @@ static wifi_error process_fw_diag_msg(hal_info *info, u8* buf, u16 length) payload = diag_msg_hdr->payload; payloadlen = diag_msg_hdr->u.payload_len; hdr_size = sizeof(fw_diag_msg_hdr_t); + if ((count + hdr_size + payloadlen) > length) { + ALOGE("WLAN_DIAG_TYPE_CONFIG - possible buffer over access, length=%d count=%d hdr_size=%d payload len=%d", + length, count, hdr_size, payloadlen); + return WIFI_ERROR_UNKNOWN; + } process_firmware_prints(info, (u8 *)diag_msg_hdr, payloadlen + hdr_size); } |