Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34fa11ae authored by Bapiraju Alla's avatar Bapiraju Alla Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Validate NDP app info length before accessing NDP app info 

Currently, NDP app info length is not being validated with max NDP
app info length. This may result in buffer oveflow wile accessing
NDP app info received from the firmware.
To address this, validate NDP app info length before accessing NDP
app info

Change-Id: Ifddf1afca7ecf2585e8eb450864d9ba127238f6e
CRs-Fixed: 3073345
parent 28f22260

core/hdd/src/wlan_hdd_nan_datapath.h

+1 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -35,7 +36,6 @@ struct wireless_dev; 
#define NAN_SOCIAL_CHANNEL_5GHZ_LOWER_BAND 44

#define NAN_SOCIAL_CHANNEL_5GHZ_UPPER_BAND 149



#define NDP_APP_INFO_LEN 255

#define NDP_PMK_LEN 32

#define NDP_SCID_BUF_LEN 256

#define NDP_NUM_INSTANCE_ID 255

core/wma/inc/wma.h

+2 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -55,6 +56,7 @@ 
#define WMA_RESUME_TIMEOUT                 6000

#define MAX_MEM_CHUNKS                     32

#define NAN_CLUSTER_ID_BYTES               4

#define NDP_APP_INFO_LEN                   255



#define WMA_CRASH_INJECT_TIMEOUT           5000

core/wma/src/wma_nan_datapath.c

+6 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -720,6 +721,11 @@ static int wma_ndp_confirm_event_handler(void *handle, uint8_t *event_info, 
			WMA_LOGE(FL("malloc failed"));

			return QDF_STATUS_E_NOMEM;

		}



		if (ndp_confirm.ndp_info.ndp_app_info_len > NDP_APP_INFO_LEN)

			ndp_confirm.ndp_info.ndp_app_info_len =

							NDP_APP_INFO_LEN;



		qdf_mem_copy(&ndp_confirm.ndp_info.ndp_app_info,

			     event->ndp_app_info,

			     ndp_confirm.ndp_info.ndp_app_info_len);