lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix possible OOB in extract_peer_stats_count_tlv

Browse Source 
Currently in function extract_peer_stats_count_tlv,
num_peers is copied directly to wmi_host_stats_event
structure without any validation which may cause
out of bound issue if num_peers provided in fixed
param becomes greater than actual number of peer
stats info.

Fix is to validate num_peer_stats_info before populating
stats_param->num_peer_stats_info_ext.

Change-Id: Icfb1c4fd34d3ec9120064e14bb65e35f8539f7fd
CRs-Fixed: 3032139
This commit is contained in:
Deeksha Gupta 2021-09-22 13:56:37 +05:30 committed by Madan Koyyalamudi
parent f1e6c20391
commit 2cce0794e6
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
components/wmi/src/wmi_unified_mc_cp_stats_tlv.c
View File

@ -327,6 +327,13 @@ extract_peer_stats_count_tlv(wmi_unified_t wmi_handle, void *evt_buf,
if (!ev_param)
return QDF_STATUS_E_FAILURE;
if (!param_buf->num_peer_stats_info ||
param_buf->num_peer_stats_info < ev_param->num_peers) {
wmi_err_rl("actual num of peers stats info: %d is less than provided peers: %d",
param_buf->num_peer_stats_info, ev_param->num_peers);
return QDF_STATUS_E_FAULT;
}
if (!stats_param)
return QDF_STATUS_E_FAILURE;