Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c4c14ed authored by Anurag Chouhan's avatar Anurag Chouhan Committed by Gerrit - the friendly Code Review server
Browse files

wcnss: Fix buffer overflow in wcnss_prealloc_get 



There is potential integer truncation in the wcnss_prealloc_get api.
size_t is 8 byte on x64 platform and "unsigned int" is 4 byte.
To avoid this integer truncation, pass size as size_t instead
of unsigned int.

CRs-Fixed: 2269610
Change-Id: I14b274dd7cad98b55fdce1aaa27783272231afde
Signed-off-by: default avatarAnurag Chouhan <achouhan@codeaurora.org>
parent 315ed7f6

drivers/net/wireless/cnss_prealloc/cnss_prealloc.c

+4 −3
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/err.h>

#include <linux/stacktrace.h>

#include <linux/spinlock.h>

#include <net/cnss_prealloc.h>



static DEFINE_SPINLOCK(alloc_lock);
@@ -23,7 +24,7 @@ static DEFINE_SPINLOCK(alloc_lock); 


struct wcnss_prealloc {

	int occupied;

	unsigned int size;

	size_t size;

	void *ptr;

#ifdef CONFIG_SLUB_DEBUG

	unsigned long stack_trace[WCNSS_MAX_STACK_TRACE];
@@ -143,7 +144,7 @@ static inline 
void wcnss_prealloc_save_stack_trace(struct wcnss_prealloc *entry) {}

#endif



void *wcnss_prealloc_get(unsigned int size)

void *wcnss_prealloc_get(size_t size)

{

	int i = 0;

	unsigned long flags;
@@ -200,7 +201,7 @@ void wcnss_prealloc_check_memory_leak(void) 
			j++;

		}



		pr_err("Size: %u, addr: %pK, backtrace:\n",

		pr_err("Size: %zu, addr: %pK, backtrace:\n",

		       wcnss_allocs[i].size, wcnss_allocs[i].ptr);

		print_stack_trace(&wcnss_allocs[i].trace, 1);

	}

include/net/cnss_prealloc.h

+1 −1
Original line number Diff line number Diff line
@@ -15,7 +15,7 @@ 


#define WCNSS_PRE_ALLOC_GET_THRESHOLD (4*1024)



extern void *wcnss_prealloc_get(unsigned int size);

extern void *wcnss_prealloc_get(size_t size);

extern int wcnss_prealloc_put(void *ptr);

extern int wcnss_pre_alloc_reset(void);

void wcnss_prealloc_check_memory_leak(void);