qcacmn: Fix zero size malloc when memory debug is disabled
In SLUB disabled builds, the qdf_mem_malloc calls the
qdf_mem_malloc_fl function which doesn't
validate if the size provided is 0 and returns the value
ZERO_SIZE_PTR(((void *)16)) for the pointer. When this pointer
is dereferenced, it causes invalid address dereference.
Validate if the size parameter provided to qdf_mem_malloc is
0 or greater than QDF_MEM_MAX_MALLOC. Return failure if the
validation fails.
Change-Id: I8fc6bc796847e9dd3dfd5186b0386d323560d0cf
CRs-Fixed: 2571505
diff --git a/qdf/linux/src/qdf_mem.c b/qdf/linux/src/qdf_mem.c
index aba3fc6..33ec0fa 100644
--- a/qdf/linux/src/qdf_mem.c
+++ b/qdf/linux/src/qdf_mem.c
@@ -43,15 +43,15 @@
#include <net/cnss_prealloc.h>
#endif
-#ifdef MEMORY_DEBUG
-#include "qdf_debug_domain.h"
-#include <qdf_list.h>
-
/* Preprocessor Definitions and Constants */
#define QDF_MEM_MAX_MALLOC (4096 * 1024) /* 4 Mega Bytes */
#define QDF_MEM_WARN_THRESHOLD 300 /* ms */
#define QDF_DEBUG_STRING_SIZE 512
+#ifdef MEMORY_DEBUG
+#include "qdf_debug_domain.h"
+#include <qdf_list.h>
+
static qdf_list_t qdf_mem_domains[QDF_DEBUG_DOMAIN_COUNT];
static qdf_spinlock_t qdf_mem_list_lock;
@@ -1236,6 +1236,12 @@
{
void *ptr;
+ if (!size || size > QDF_MEM_MAX_MALLOC) {
+ qdf_nofl_err("Cannot malloc %zu bytes @ %s:%d", size, func,
+ line);
+ return NULL;
+ }
+
ptr = qdf_mem_prealloc_get(size);
if (ptr)
return ptr;