From 234bc26709114d4bdd253dc20cdd5ab359d4de92 Mon Sep 17 00:00:00 2001 From: Mohammed Ahmed Date: Wed, 3 Jul 2024 15:51:08 -0700 Subject: [PATCH] cnss2: Fix mbox_msg size calculated Current code passes in mbox_msg max buffer size to mailbox api rather than actual string length. Resulting in KASAN detecting an out of bound issue. Fix this by calculating the string length, and passing that in. CRs-Fixed: 3876948 Change-Id: I7d9be5466ca5bec81e181f47e278205d6d9a64ce --- cnss2/power.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/cnss2/power.c b/cnss2/power.c index d0a7ec3e82..37cc6296f8 100644 --- a/cnss2/power.c +++ b/cnss2/power.c @@ -1415,13 +1415,21 @@ static int cnss_mbox_send_msg(struct cnss_plat_data *plat_priv, char *mbox_msg) { struct qmp_pkt pkt; + int mbox_msg_size; int ret = 0; if (!plat_priv->mbox_chan) return -ENODEV; + mbox_msg_size = strlen(mbox_msg) + 1; + + if (mbox_msg_size > CNSS_MBOX_MSG_MAX_LEN) { + cnss_pr_err("message length greater than max length\n"); + return -EINVAL; + } + cnss_pr_dbg("Sending AOP Mbox msg: %s\n", mbox_msg); - pkt.size = CNSS_MBOX_MSG_MAX_LEN; + pkt.size = mbox_msg_size; pkt.data = mbox_msg; ret = mbox_send_message(plat_priv->mbox_chan, &pkt); if (ret < 0)