Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 848ff1d6 authored by Srinivas Girigowda's avatar Srinivas Girigowda Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix possible OOB read in cnss_diag_cmd_handler 

The nla_data coming from user space is a variable length data,
but the driver is checking nla_len() against a fixed length struct only.
It is possible that the nla_len() check against fixed length struct
may pass and if the nla_data does not have the payload and it may
result in possible out-of-bound read (slot->payload).

Hence the fix is to, check if nla_len() is atleast more than
the fixed length struct and also account for payload length.

Change-Id: I2e68d55c0411cff55908c1704031e3c070f3316e
CRs-Fixed: 2825763
parent a1686f57
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment