qcacld-3.0: Fix an OOB issue in bmi_sign_stream_start()
Remaining may be greater than its original value when
(remaining & 0x3)!=0, then OOB occurs when memcpy.To address
this, align the remaining after doing memcpy.
Change-Id: I3e39a791a76a272e82beb6561375e26ca84ec0f4
CRs-Fixed: 2259721
diff --git a/core/bmi/src/bmi.c b/core/bmi/src/bmi.c
index 5917101..a637da3 100644
--- a/core/bmi/src/bmi.c
+++ b/core/bmi/src/bmi.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
@@ -414,8 +414,8 @@
src = &buffer[length - remaining];
if (remaining < (BMI_DATASZ_MAX - header)) {
if (remaining & 0x3) {
- remaining = remaining + (4 - (remaining & 0x3));
memcpy(aligned_buf, src, remaining);
+ remaining = remaining + (4 - (remaining & 0x3));
src = aligned_buf;
}
txlen = remaining;