wlan: Fix logging crash caused by integer overflow
qcacld-2.0 to prima propagation
- In wlan_log_to_user() filled length is unsigned integer.
- When filled length and message header size is added it becomes
greater than max size which is 4096
- When filled length + message header size is subtracted from
max length it becomes negative but because of arithmetic
conversion it becomes a very huge unsigned integer which
leads to length check failure.
- And since length check is failed filled length is keep getting
incremented and finally causing crash because of overwriting
other's memory.
- Fix this issue by putting proper max length check such that
when filled length + header size is greater than max length
new free buffer is taken from free log buffer pool.
Change-Id: I7132b4355345d42f9c23429be0eaeeb63d7e9e0e
CRs-Fixed: 902173
1 file changed