Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 1083615c authored by Rajeev Kumar Sirasanagandla's avatar Rajeev Kumar Sirasanagandla Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix possible NULL dereference in apf read 

While processing WMI_BPF_GET_VDEV_WORK_MEMORY_RESP_EVENTID,
in wma_apf_read_work_memory_event_handler() apf read callback is
invoked after wmi_extract_apf_read_memory_resp_event_tlv().

During extraction of apf attributes there is no NULL check of data
tlv when data length is non-zero. If the firmware message is wrongly
crafted with non-zero length in fixed param and NULL data then NULL
pointer dereference is seen in apf read callback.

To address this, avoid copy when data is NULL and data length is
non-zero.

Change-Id: Ie054c487ead5c929e5a293651a65383d6f87dc71
CRs-Fixed: 2446019
parent 21a2827a
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment