android/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handler

Browse Source 
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.

Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.

Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191
This commit is contained in:
abhinav kumar 2021-08-11 22:19:11 +05:30 committed by Madan Koyyalamudi
parent 57543be336
commit 86812026a0
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
target_if/wifi_pos/src/target_if_wifi_pos.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2013-2020 The Linux Foundation. All rights reserved.
* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@ -92,6 +92,7 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data(
void *paddr = NULL;
uint32_t addr_hi;
uint8_t ring_idx = 0, num_rings;
uint32_t allocated_len;
if (!indirect) {
target_if_debug("no indirect data. regular event received");
@ -104,6 +105,16 @@ static QDF_STATUS target_if_wifi_pos_get_indirect_data(
target_if_err("incorrect pdev_id: %d", indirect->pdev_id);
return QDF_STATUS_E_INVAL;
}
allocated_len = priv_obj->dma_cap[ring_idx].min_buf_size +
(priv_obj->dma_cap[ring_idx].min_buf_align - 1);
if (indirect->len > allocated_len ||
indirect->len > OEM_DATA_DMA_BUFF_SIZE) {
target_if_err("Invalid indirect len: %d, allocated_len:%d",
indirect->len, allocated_len);
return QDF_STATUS_E_INVAL;
}
addr_hi = (uint64_t)WMI_OEM_DMA_DATA_ADDR_HI_GET(
indirect->addr_hi);
paddr = (void *)((uint64_t)addr_hi << 32 | indirect->addr_lo);

4
umac/wifi_pos/src/wifi_pos_utils_i.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@ -64,6 +64,8 @@ struct wifi_pos_req_msg;
#ifndef OEM_DATA_RSP_SIZE
#define OEM_DATA_RSP_SIZE 1724
/* Header + VHT80 CIR * 2 chains */
#define OEM_DATA_DMA_BUFF_SIZE (64 + 512 * 4 * 2)
#endif
/**