Wlan: Use proper length to copy channel avoid ind in WDI from FW
If the number of channel ranges in channel avoidance support is 4
in firmware and 15 in host, firmware sends the data with length
of 4 channel ranges while host tries to copy length of 15 channel
ranges and thus may access invalid memory resulting in crash.
Consider the length sent by firmware to copy the channel avoid
indication from firmware.
Change-Id: I198d48d9257fc0acd3ff4ac5780bfd0ca2ddfa82
CRs-Fixed: 973897
diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
index bd1b472..189f4e4 100644
--- a/CORE/WDI/CP/src/wlan_qct_wdi.c
+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
@@ -31347,6 +31347,7 @@
WDI_LowLevelIndType wdiInd;
tHalAvoidFreqRangeIndParams chAvoidIndicationParam;
wpt_uint16 rangeLoop;
+ wpt_uint32 dataSize;
/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/*-------------------------------------------------------------------------
@@ -31361,12 +31362,16 @@
return WDI_STATUS_E_FAILURE;
}
+ dataSize = sizeof(tHalAvoidFreqRangeIndParams);
+ if (dataSize > pEventData->uEventDataSize)
+ dataSize = pEventData->uEventDataSize;
+
/*-------------------------------------------------------------------------
Extract indication and send it to UMAC
-------------------------------------------------------------------------*/
wpalMemoryCopy(&chAvoidIndicationParam,
pEventData->pEventData,
- sizeof(tHalAvoidFreqRangeIndParams));
+ dataSize);
/* Avoid Over flow */
if (WLAN_HAL_MAX_AVOID_FREQ_RANGE < chAvoidIndicationParam.avoidCnt)