Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Fix buffer overflow in htt_t2h_msg_handler_fast 

Propagate from qcacld3.0 to qcacld2.0

Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.

To avoid buffer over-write add check for the valid num_mpdu_ranges

Change-Id: I93e1e26a7b41ca5ab66d5f7efb92d5d64e6c7612
CRs-Fixed: 2500393
This commit is contained in:
Lihua Liu 2019-07-31 17:11:44 +08:00 committed by L R
parent 68b103fb46
commit 315f137385
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c
View File

@ -702,7 +702,7 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) {
pdev->rx_ind_msdu_byte_idx = 0;
if (unlikely(pdev->rx_mpdu_range_offset_words > msg_len)) {
adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid rx_mpdu_range_offset_words %d\n",
adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid rx_mpdu_range_offset_words %d\n",
pdev->rx_mpdu_range_offset_words);
WARN_ON(1);
break;
@ -716,14 +716,14 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) {
*/
if (unlikely(calculated_msg_len <
pdev->rx_mpdu_range_offset_words)) {
adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %u\n",
adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid mpdu_ranges %u\n",
(num_mpdu_ranges *
(int)sizeof(uint32_t)));
WARN_ON(1);
break;
}
if (unlikely(calculated_msg_len > msg_len)) {
adf_print("HTT_T2H_MSG_TYPE_RX_IND, invalid offset_words + mpdu_ranges %u\n",
adf_os_print("HTT_T2H_MSG_TYPE_RX_IND, invalid offset_words + mpdu_ranges %u\n",
calculated_msg_len);
WARN_ON(1);
break;