Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 77a1b770 authored by Manikandan Mohan's avatar Manikandan Mohan Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix OOB access in WMI_SAR_GET_LIMITS_EVENTID 

Update handling of WMI_SAR_GET_LIMITS_EVENTID for a possible OOB that
can occur if param_buf->fixed_param.num_limit_rows is greater than
actual TLV length of param_buf->sar_get_limits array.

Change-Id: Iccacbb3689e6a7bdd73b2b1f0517d011ccf6d076
CRs-fixed: 2307276
parent ceff3970

wmi/src/wmi_unified_tlv.c

+6 −0
Original line number Diff line number Diff line
@@ -5676,6 +5676,12 @@ static QDF_STATUS extract_sar_limit_event_tlv(wmi_unified_t wmi_handle, 
	event->sar_enable = fixed_param->sar_enable;

	event->num_limit_rows = fixed_param->num_limit_rows;













	if (event->num_limit_rows > param_buf->num_sar_get_limits) {













		WMI_LOGE(FL("Num rows %d exceeds sar_get_limits rows len %d"),













			 event->num_limit_rows, param_buf->num_sar_get_limits);













		return QDF_STATUS_E_INVAL;













	}



























	if (event->num_limit_rows > MAX_SAR_LIMIT_ROWS_SUPPORTED) {















		QDF_ASSERT(0);















		WMI_LOGE(FL("Num rows %d exceeds max of %d"),