Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 2357ecbfa1b21a93f99b83dae7bad6ae341d03bf
commit2357ecbfa1b21a93f99b83dae7bad6ae341d03bf[log] [tgz]
authorLior David <liord@codeaurora.org>Mon Oct 16 20:39:31 2017 +0300
committerLior David <liord@codeaurora.org>Thu Oct 19 11:33:53 2017 +0300
tree9d0e587c9ee659c20efed6e56461495e3b695c71
parent1ded649ba856528f51229b40dddaa7f8a34e0ab1 [diff]
wil6210: fix length check in __wmi_send

The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Change-Id: Iecb4f53ef05da0e015bc954b57b0e40debb7c8b7
Signed-off-by: Lior David <liord@codeaurora.org>
2 files changed
tree: 9d0e587c9ee659c20efed6e56461495e3b695c71
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. techpack/
  21. tools/
  22. usr/
  23. virt/
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. AndroidKernel.mk
  30. build.config.goldfish.arm
  31. build.config.goldfish.arm64
  32. build.config.goldfish.mips
  33. build.config.goldfish.mips64
  34. build.config.goldfish.x86
  35. build.config.goldfish.x86_64
  36. COPYING
  37. CREDITS
  38. Kbuild
  39. Kconfig
  40. MAINTAINERS
  41. Makefile
  42. README
  43. REPORTING-BUGS