Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cda1c997 authored by abhinav kumar's avatar abhinav kumar Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Possible buffer overflow issue in wma 

Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.

Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.

Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
parent 450556ab

core/wma/src/wma_mgmt.c

+15 −1
Original line number Diff line number Diff line
@@ -2004,8 +2004,22 @@ static QDF_STATUS wma_unified_bcn_tmpl_send(tp_wma_handle wma, 
		tmpl_len = *(uint32_t *) &bcn_info->beacon[0];

	else

		tmpl_len = bcn_info->beaconLength;

	if (p2p_ie_len)



	if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) {

		wma_err("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len,

			WMI_BEACON_TX_BUFFER_SIZE);

		return -EINVAL;

	}



	if (p2p_ie_len) {

		if (tmpl_len <= p2p_ie_len) {

			wma_err("tmpl_len %d <= p2p_ie_len %d, Invalid",

				tmpl_len, p2p_ie_len);

			return -EINVAL;

		}

		tmpl_len -= (uint32_t) p2p_ie_len;

	}



	frm = bcn_info->beacon + bytes_to_strip;

	tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32));

	/*