Commit 7ad7bf89 authored Jul 02, 2020 by Pragaspathi Thilagaraj Committed by snandini Aug 07, 2020

qcacmn: Fix possible OOB access while sending ext stats request

In 32-bit systems, currently there is possible oob access in
send_stats_ext_req_cmd_tlv() is preq->request_data_len is
uin32_t max and len is also of type uint32_t.

Fix possible OOB access while sending ext stats request message
to firmware by validating the requested data length against the
difference between wmi max message size(WMI_SVC_MSG_MAX_SIZE),
size of the wmi command fixed param and wmi tlv header size
WMI_TLV_HDR_SIZE.

Change-Id: I769c9a6b7c0e0f76e2ec1070cac6c69768816454
CRs-Fixed: 2724256

parent 4c39495a

wmi/src/wmi_unified_tlv.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -5809,6 +5809,14 @@ static QDF_STATUS send_stats_ext_req_cmd_tlv(wmi_unified_t wmi_handle,
		wmi_buf_t buf;
		size_t len;
		uint8_t *buf_ptr;
		uint16_t max_wmi_msg_size = wmi_get_max_msg_len(wmi_handle);

		if (preq->request_data_len > (max_wmi_msg_size - WMI_TLV_HDR_SIZE -
		sizeof(*cmd))) {
		wmi_err("Data length=%d is greater than max wmi msg size",
		preq->request_data_len);
		return QDF_STATUS_E_FAILURE;
		}

		len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len;