Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d09caf95 authored by Lior David's avatar Lior David
Browse files

wil6210: potential buffer overflow in wmi_evt_aoa_meas 



The code in wmi_evt_aoa_meas can potentially overflow a data
buffer if the len parameter is smaller than
offsetof(struct wmi_aoa_meas_event, meas_data). Add protection
against this case.

Change-Id: I3f86f231e0c6b5ac54abbb9865cba0cbbd8d0448
Signed-off-by: default avatarLior David <liord@codeaurora.org>
Signed-off-by: default avatarAlexei Avshalom Lazar <ailizaro@codeaurora.org>
parent 74a82d40

drivers/net/wireless/ath/wil6210/ftm.c

+4 −0
Original line number Diff line number Diff line
@@ -681,6 +681,10 @@ void wil_aoa_evt_meas(struct wil6210_vif *vif, 
	int data_len = len - offsetof(struct wmi_aoa_meas_event, meas_data);

	struct wil_aoa_meas_result *res;



	if (data_len < 0) {

		wil_err(wil, "AOA event too short (%d)\n", len);

		return;

	}

	data_len = min_t(int, le16_to_cpu(evt->length), data_len);



	res = kmalloc(sizeof(*res) + data_len, GFP_KERNEL);