Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03576d60 authored by abhinav kumar's avatar abhinav kumar Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Possible buffer overflow issue in wma 

Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.

Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.

Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
parent b6c65058

core/wma/src/wma_mgmt.c

+16 −2
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2013-2019, 2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -2371,8 +2371,22 @@ static QDF_STATUS wma_unified_bcn_tmpl_send(tp_wma_handle wma, 
		tmpl_len = *(uint32_t *) &bcn_info->beacon[0];

	else

		tmpl_len = bcn_info->beaconLength;

	if (p2p_ie_len)



	if (tmpl_len > WMI_BEACON_TX_BUFFER_SIZE) {

		WMA_LOGE("tmpl_len: %d > %d. Invalid tmpl len", tmpl_len,

			 WMI_BEACON_TX_BUFFER_SIZE);

		return -EINVAL;

	}



	if (p2p_ie_len) {

		if (tmpl_len <= p2p_ie_len) {

			WMA_LOGE("tmpl_len %d <= p2p_ie_len %d, Invalid",

				 tmpl_len, p2p_ie_len);

			return -EINVAL;

		}

		tmpl_len -= (uint32_t) p2p_ie_len;

	}



	frm = bcn_info->beacon + bytes_to_strip;

	tmpl_len_aligned = roundup(tmpl_len, sizeof(A_UINT32));

	/*