Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4fbee731 authored by abhinav kumar's avatar abhinav kumar Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handler 

API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.

Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.

Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
parent cd6dbc56

target_if/wifi_pos/src/target_if_wifi_pos.c

+12 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -92,6 +92,7 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data( 
	void *paddr = NULL;

	uint32_t addr_hi;

	uint8_t ring_idx = 0, num_rings;

	uint32_t allocated_len;



	if (!indirect) {

		target_if_debug("no indirect data. regular event received");
@@ -104,6 +105,16 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data( 
		target_if_err("incorrect pdev_id: %d", indirect->pdev_id);

		return QDF_STATUS_E_INVAL;

	}



	allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +

				(priv_obj->dma_cap[ring_idx].min_buf_align - 1);

	if (indirect->len > allocated_len ||

	    indirect->len > OEM_DATA_DMA_BUFF_SIZE) {

		target_if_err("Invalid indirect len: %d, allocated_len:%d",

			      indirect->len, allocated_len);

		return QDF_STATUS_E_INVAL;

	}



	addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(

						indirect->addr_hi);

	paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);

umac/wifi_pos/src/wifi_pos_utils_i.h

+3 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -64,6 +64,8 @@ struct wifi_pos_req_msg; 


#ifndef OEM_DATA_RSP_SIZE

#define OEM_DATA_RSP_SIZE 1724

/* Header + VHT80 CIR * 2 chains */

#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)

#endif



/**