Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 23c6ea43 authored by Arif Hussain's avatar Arif Hussain
Browse files

wcnss: Fix Integer overflow 



Integer overflow can lead to buffer
overflow in wcnss_wlan_write

Change-Id: I9e6f3439e1c8509bdb9c8c14b9aefe5611de8b03
CRs-Fixed: 547969
Signed-off-by: default avatarArif Hussain <arifhussain@codeaurora.org>
parent 05b9885c

drivers/net/wireless/wcnss/wcnss_wlan.c

+6 −4
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ 


/* module params */

#define WCNSS_CONFIG_UNSPECIFIED (-1)

#define UINT32_MAX (0xFFFFFFFFU)



static int has_48mhz_xo = WCNSS_CONFIG_UNSPECIFIED;

module_param(has_48mhz_xo, int, S_IWUSR | S_IRUGO);
@@ -341,7 +342,7 @@ static struct { 
	int	fw_cal_available;

	int	user_cal_read;

	int	user_cal_available;

	int	user_cal_rcvd;

	u32	user_cal_rcvd;

	int	user_cal_exp_size;

	int	device_opened;

	int	iris_xo_mode_set;
@@ -2056,7 +2057,7 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user 
			*user_buffer, size_t count, loff_t *position)

{

	int rc = 0;

	int size = 0;

	size_t size = 0;



	if (!penv || !penv->device_opened || penv->user_cal_available)

		return -EFAULT;
@@ -2064,7 +2065,7 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user 
	if (penv->user_cal_rcvd == 0 && count >= 4

			&& !penv->user_cal_data) {

		rc = copy_from_user((void *)&size, user_buffer, 4);

		if (size > MAX_CALIBRATED_DATA_SIZE) {

		if (!size || size > MAX_CALIBRATED_DATA_SIZE) {

			pr_err(DEVICE " invalid size to write %d\n", size);

			return -EFAULT;

		}
@@ -2083,7 +2084,8 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user 
	} else if (penv->user_cal_rcvd == 0 && count < 4)

		return -EFAULT;



	if (MAX_CALIBRATED_DATA_SIZE < count + penv->user_cal_rcvd) {

	if ((UINT32_MAX - count < penv->user_cal_rcvd) ||

	     MAX_CALIBRATED_DATA_SIZE < count + penv->user_cal_rcvd) {

		pr_err(DEVICE " invalid size to write %d\n", count +

				penv->user_cal_rcvd);

		rc = -ENOMEM;