Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c146baa authored by Debasis Das's avatar Debasis Das Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix Integer Overflow Leading to Buffer Overflow 

wmi_buf_alloc() API expects length to be passed of type
uint16_t. However, the callers pass uint32_t to it.
This might result in overflow and illegal memory access
thereafter. The fix is to modify the API signature accordingly.

Change-Id: If09da4978d421269b884f7d3c933c49c81651475
CRs-Fixed: 2218346
parent 4cc1d838

wmi/inc/wmi_unified_api.h

+3 −3
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2013-2020 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -138,10 +138,10 @@ wmi_unified_remove_work(struct wmi_unified *wmi_handle); 
#ifdef MEMORY_DEBUG

#define wmi_buf_alloc(h, l) wmi_buf_alloc_debug(h, l, __FILE__, __LINE__)

wmi_buf_t

wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len,

wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len,

		    uint8_t *file_name, uint32_t line_num);

#else

wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len);

wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);

#endif



/**

wmi/src/wmi_unified.c

+4 −4
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2015-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2015-2018,2020 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1201,7 +1201,7 @@ int wmi_get_host_credits(wmi_unified_t wmi_handle); 


#ifdef MEMORY_DEBUG

wmi_buf_t

wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint16_t len, uint8_t *file_name,

wmi_buf_alloc_debug(wmi_unified_t wmi_handle, uint32_t len, uint8_t *file_name,

		    uint32_t line_num)

{

	wmi_buf_t wmi_buf;
@@ -1235,7 +1235,7 @@ void wmi_buf_free(wmi_buf_t net_buf) 
	qdf_nbuf_free(net_buf);

}

#else

wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint16_t len)

wmi_buf_t wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)

{

	wmi_buf_t wmi_buf;