Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06c3fa20 authored by Lior David's avatar Lior David Committed by Gerrit - the friendly Code Review server
Browse files

wil6210: potential buffer overflow in wmi_evt_aoa_meas 



The code in wmi_evt_aoa_meas can potentially overflow a data
buffer if the len parameter is smaller than
offsetof(struct wmi_aoa_meas_event, meas_data). Add protection
against this case.

Change-Id: I3f86f231e0c6b5ac54abbb9865cba0cbbd8d0448
Signed-off-by: default avatarLior David <liord@codeaurora.org>
parent 518cd856

drivers/net/wireless/ath/wil6210/ftm.c

+5 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2016, The Linux Foundation. All rights reserved.

 * Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for any

 * purpose with or without fee is hereby granted, provided that the above
@@ -650,6 +650,10 @@ void wil_aoa_evt_meas(struct wil6210_priv *wil, 
	int data_len = len - offsetof(struct wmi_aoa_meas_event, meas_data);

	struct wil_aoa_meas_result *res;



	if (data_len < 0) {

		wil_err(wil, "AOA event too short (%d)\n", len);

		return;

	}

	data_len = min_t(int, le16_to_cpu(evt->length), data_len);



	res = kmalloc(sizeof(*res) + data_len, GFP_KERNEL);