Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 9fa0e8e014dac769c5df9633fdf84721de1874a8
commit9fa0e8e014dac769c5df9633fdf84721de1874a8[log] [tgz]
authorjitiphil <jitiphil@codeaurora.org>Fri May 25 17:40:41 2018 +0530
committernshrivas <nshrivas@codeaurora.org>Wed Jun 13 12:30:37 2018 -0700
treeeaf135f6ae022a9e23e76d2e97038802cd38bee5
parent75795d61a6758742814b135a806ae32b342c28f5 [diff]
qcacld-3.0: Integer overflow in wma_unified_link_peer_stats_event_handler

In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.

Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.

Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2224451
1 file changed
tree: eaf135f6ae022a9e23e76d2e97038802cd38bee5
  1. components/
  2. configs/
  3. core/
  4. uapi/
  5. Android.mk
  6. Kbuild
  7. Kconfig
  8. Makefile
  9. README.txt