From 26bf2356b5953463e3f4c830c3320ca164cddfa2 Mon Sep 17 00:00:00 2001 From: bings Date: Fri, 11 Jan 2019 14:14:43 +0800 Subject: [PATCH] qcacld-2.0: Avoid possible buffer over-read in wma_wow_wakeup_host_event Propagation from qcacld-3.0 to qcacld-2.0 Check for the minimum allowed data that can be written into the buffer param_buf->num_wow_packet_buffer in the function wma_process_utf_event. Change-Id: I8b83bc973fd6f0d7ad9e421a387ce3f03d6b6939 CRs-Fixed: 2379462 --- drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c index 4d35f6b17625..353eb0d63ef0 100644 --- a/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c +++ b/drivers/net/wireless/qcacld-2.0/CORE/SERVICES/WMA/wma.c @@ -20732,6 +20732,11 @@ static int wma_wow_wakeup_host_event(void *handle, u_int8_t *event, vos_event_set(&wma->wma_resume_event); if (param_buf->wow_packet_buffer) { + if (param_buf->num_wow_packet_buffer <= 4) { + WMA_LOGE("Invalid wow packet buffer from firmware %u", + param_buf->num_wow_packet_buffer); + return -EINVAL; + } wow_buf_pkt_len = *(uint32_t *)param_buf->wow_packet_buffer; if (wow_buf_pkt_len > (param_buf->num_wow_packet_buffer - 4)) { WMA_LOGE("Invalid wow buf pkt len from firmware, wow_buf_pkt_len: %u, num_wow_packet_buffer: %u",