android/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cnss2: Fix mbox_msg size calculated

Browse Source 
Current code passes in mbox_msg max buffer
size to mailbox api rather than actual string
length. Resulting in KASAN detecting an out of
bound issue. Fix this by calculating the string
length, and passing that in.

CRs-Fixed: 3876948
Change-Id: I7d9be5466ca5bec81e181f47e278205d6d9a64ce
This commit is contained in:
Mohammed Ahmed 2024-07-03 15:51:08 -07:00 committed by Ravindra Konda
parent 92b14cc478
commit 234bc26709
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cnss2/power.c
View File

@ -1415,13 +1415,21 @@ static int
cnss_mbox_send_msg(struct cnss_plat_data *plat_priv, char *mbox_msg) cnss_mbox_send_msg(struct cnss_plat_data *plat_priv, char *mbox_msg)
{ {
struct qmp_pkt pkt; struct qmp_pkt pkt;
int mbox_msg_size;
int ret = 0; int ret = 0;
if (!plat_priv->mbox_chan) if (!plat_priv->mbox_chan)
return -ENODEV; return -ENODEV;
mbox_msg_size = strlen(mbox_msg) + 1;
if (mbox_msg_size > CNSS_MBOX_MSG_MAX_LEN) {
cnss_pr_err("message length greater than max length\n");
return -EINVAL;
}
cnss_pr_dbg("Sending AOP Mbox msg: %s\n", mbox_msg); cnss_pr_dbg("Sending AOP Mbox msg: %s\n", mbox_msg);
pkt.size = CNSS_MBOX_MSG_MAX_LEN; pkt.size = mbox_msg_size;
pkt.data = mbox_msg; pkt.data = mbox_msg;
ret = mbox_send_message(plat_priv->mbox_chan, &pkt); ret = mbox_send_message(plat_priv->mbox_chan, &pkt);
if (ret < 0) if (ret < 0)