Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 514b87dc authored by Manikandan Mohan's avatar Manikandan Mohan Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix out-of-bounds read in extract_ndp_confirm_tlv 

Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list

Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849
parent f080bd5c

wmi/src/wmi_unified_tlv.c

+8 −0
Original line number Diff line number Diff line
@@ -16899,6 +16899,14 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle, 
			 __func__, fixed_params->ndp_app_info_len);

		return QDF_STATUS_E_INVAL;

	}

	if (fixed_params->num_ndp_channels > event->num_ndp_channel_list ||

	    fixed_params->num_ndp_channels > event->num_nss_list) {

		WMI_LOGE(FL("NDP Ch count %d greater than NDP Ch TLV len (%d) or NSS TLV len (%d)"),

			 fixed_params->num_ndp_channels,

			 event->num_ndp_channel_list,

			 event->num_nss_list);

		return QDF_STATUS_E_INVAL;

	}















	rsp->vdev =















		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,