qcacld-2.0: Fix potential buffer overwrite
In function wma_unified_link_iface_stats_event_handler, num_ac
is received from the firmware and is used in the loop to populate
values into results. However, the memory for results is allocated
only for WIFI_AC_MAX and a buffer overflow will occur if num_ac
is greater than or equal to WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than or equal to
WIFI_AC_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2154226
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index fef3ced..805a581 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -4953,6 +4953,11 @@
WMA_LOGA("%s: Invalid param_tlvs for Iface Stats", __func__);
return -EINVAL;
}
+ if (link_stats->num_ac >= WIFI_AC_MAX) {
+ WMA_LOGE("%s: Excess data received from firmware num_ac %d",
+ __func__, link_stats->num_ac);
+ return -EINVAL;
+ }
link_stats_size = sizeof(tSirWifiIfaceStat);
iface_info_size = sizeof(tSirWifiInterfaceInfo);