Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8dd3e59d authored by abhinav kumar's avatar abhinav kumar Committed by Madan Koyyalamudi
Browse files

qcacmn: Possible OOB read in process_fw_diag_event_data 

API "fw_diag_data_event_handler" is the handler of an event
WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of
this handler function come from FW.

If num_data may be less than size of(struct wlan_diag_data),
possible OOB while extracting event data.

Fix is to add a sanity check for num_data to avoid the OOB
read.

Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810
CRs-Fixed: 3001178
parent dde5f817

utils/fwlog/dbglog_host.c

+1 −1
Original line number Diff line number Diff line
@@ -1693,7 +1693,7 @@ process_fw_diag_event_data(uint8_t *datap, uint32_t num_data) 
	uint32_t diag_data_len; /* each fw diag payload */

	struct wlan_diag_data *diag_data;



	while (num_data > 0) {

	while (num_data >= sizeof(struct wlan_diag_data)) {

		diag_data = (struct wlan_diag_data *)datap;

		diag_type = WLAN_DIAG_0_TYPE_GET(diag_data->word0);

		diag_data_len = WLAN_DIAG_0_LEN_GET(diag_data->word0);