Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b04b726 authored by Arif Hussain's avatar Arif Hussain
Browse files

qcacmn: Fix integer overflow in roam scan stats extract 

In extract_roam_scan_stats_res_evt_tlv(), validate
num_roam_scans to avoid any possible integer overflow
when receive larger num_roam_scans value.

Change-Id: I0f3bbf64fac8c151789de2f93a77c9af29b855d1
CRs-Fixed: 2331868
parent 6b85b32a

wmi/src/wmi_unified_tlv.c

+6 −2
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -14741,14 +14741,18 @@ extract_roam_scan_stats_res_evt_tlv(wmi_unified_t wmi_handle, void *evt_buf, 


	num_scans = fixed_param->num_roam_scans;

	scan_param_size = sizeof(struct wmi_roam_scan_stats_params);

	*vdev_id = fixed_param->vdev_id;

	if (num_scans > WMI_ROAM_SCAN_STATS_MAX) {

		WMI_LOGE(FL("%u exceeded maximum roam scan stats: %u"),

			 num_scans, WMI_ROAM_SCAN_STATS_MAX);

		return QDF_STATUS_E_INVAL;

	}

	if ((num_scans > ((UINT_MAX - sizeof(*res)) / scan_param_size))) {

		WMI_LOGP("%s: Invalid num_roam_scans %d", __func__, num_scans);

		return QDF_STATUS_E_INVAL;

	}



	total_len = sizeof(*res) + num_scans * scan_param_size;

	*vdev_id = fixed_param->vdev_id;



	res = qdf_mem_malloc(total_len);

	if (!res) {