Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2cce0794 authored by Deeksha Gupta's avatar Deeksha Gupta Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Fix possible OOB in extract_peer_stats_count_tlv 

Currently in function extract_peer_stats_count_tlv,
num_peers is copied directly to wmi_host_stats_event
structure without any validation which may cause
out of bound issue if num_peers provided in fixed
param becomes greater than actual number of peer
stats info.

Fix is to validate num_peer_stats_info before populating
stats_param->num_peer_stats_info_ext.

Change-Id: Icfb1c4fd34d3ec9120064e14bb65e35f8539f7fd
CRs-Fixed: 3032139
parent f1e6c203

components/wmi/src/wmi_unified_mc_cp_stats_tlv.c

+7 −0
Original line number Diff line number Diff line
@@ -327,6 +327,13 @@ extract_peer_stats_count_tlv(wmi_unified_t wmi_handle, void *evt_buf, 
	if (!ev_param)

		return QDF_STATUS_E_FAILURE;



	if (!param_buf->num_peer_stats_info ||

	    param_buf->num_peer_stats_info < ev_param->num_peers) {

		wmi_err_rl("actual num of peers stats info: %d is less than provided peers: %d",

			   param_buf->num_peer_stats_info, ev_param->num_peers);

		return QDF_STATUS_E_FAULT;

	}



	if (!stats_param)

		return QDF_STATUS_E_FAILURE;