Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit be26344c authored by Surabhi Vishnoi's avatar Surabhi Vishnoi Committed by Surabhi Vishnoi
Browse files

qcacmn: Fix possible OOB write in extract_time_sync_ftm_offset_event_tlv 

In extract_time_sync_ftm_offset_event_tlv there is a possible
OOB write when value of num_qtime received from firmware is
greater than FTM_TIME_SYNC_QTIME_PAIR_MAX.

Fix is to add a sanity check for value of num_qtime received from
firmware to avoid the OOB write.

Change-Id: I6e57b1d716992d1a3c7d2f7ea911fefcbfbeff34
CRs-Fixed: 3033509
parent 26188a68

wmi/src/wmi_unified_tlv.c

+4 −0
Original line number Original line Diff line number Diff line 
/*

/*

 * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2016-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the

 * any purpose with or without fee is hereby granted, provided that the
@@ -13276,6 +13277,9 @@ extract_time_sync_ftm_offset_event_tlv(wmi_unified_t wmi, void *buf, 




	param->vdev_id = resp_event->vdev_id;

	param->vdev_id = resp_event->vdev_id;

	param->num_qtime = param_buf->num_audio_sync_q_master_slave_times;

	param->num_qtime = param_buf->num_audio_sync_q_master_slave_times;

	if (param->num_qtime > FTM_TIME_SYNC_QTIME_PAIR_MAX)

		param->num_qtime = FTM_TIME_SYNC_QTIME_PAIR_MAX;



	q_pair = param_buf->audio_sync_q_master_slave_times;

	q_pair = param_buf->audio_sync_q_master_slave_times;

	if (!q_pair) {

	if (!q_pair) {

		WMI_LOGE("Invalid q_master_slave_times buffer");

		WMI_LOGE("Invalid q_master_slave_times buffer");