qcacld-2.0: Fix buffer overflow in wma radio_tx_power_level_stats handler
In function wma_unified_radio_tx_power_level_stats_event_handler,
power_level_offset is received from the FW and is used to memcpy data
from FW to local tx_time_per_power_level for num_tx_power_levels length.
However tx_time_per_power_level is allocated only for
total_num_tx_power_levels length.
If the power_level_offset is greater than total_num_tx_power_levels, then
a buffer overwrite would occur.
Add sanity check to make sure power_level_offset does not exceed
total_num_tx_power_levels
Change-Id: Ia363512ee35bb0e30b137c20bf092238c2e356da
CRs-Fixed: 2162715
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 7c532d8..8d5281d 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -5232,7 +5232,6 @@
sizeof(*fixed_param)) / sizeof(uint32_t))) {
WMA_LOGE("%s: excess tx_power buffers:%d", __func__,
fixed_param->num_tx_power_levels);
- VOS_ASSERT(0);
return -EINVAL;
}
@@ -5243,7 +5242,17 @@
fixed_param->total_num_tx_power_levels;
if (!rs_results->total_num_tx_power_levels)
goto post_stats;
-
+ if ((fixed_param->power_level_offset >
+ rs_results->total_num_tx_power_levels) ||
+ (fixed_param->num_tx_power_levels >
+ rs_results->total_num_tx_power_levels -
+ fixed_param->power_level_offset)) {
+ WMA_LOGE("%s: Invalid offset %d total_num %d num %d",
+ __func__, fixed_param->power_level_offset,
+ rs_results->total_num_tx_power_levels,
+ fixed_param->num_tx_power_levels);
+ return -EINVAL;
+ }
if (!rs_results->tx_time_per_power_level) {
rs_results->tx_time_per_power_level = vos_mem_malloc(
sizeof(uint32_t) *
