commit b69eeaecfae81d8048e5a8a09310e35ce8df4c0e
author tinlin <tinlin@codeaurora.org> Wed Jan 17 16:01:28 2018 +0800
committer Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:52 2018 +0530
tree 1ea74ddfeb804c366fd51903fc0e65e8aa4a5d64
parent f38cc43f9cdbb37b669313844b065a42d43cb361

qcacld-2.0: Add sanity check for wma_ndp_confirm_event_handler

Add sanity check for wma_ndp_confirm_event_handler and
wma_ndp_indication_event_handler to prevent OOB access.

Change-Id: I9ecf55a3606036d3e1f0916c948c4360475965fa
CRs-Fixed: 2170668

CORE/SERVICES/WMA/wma_nan_datapath.c

diff --git a/CORE/SERVICES/WMA/wma_nan_datapath.c b/CORE/SERVICES/WMA/wma_nan_datapath.c
index adaca21..5680de0 100644
--- a/CORE/SERVICES/WMA/wma_nan_datapath.c
+++ b/CORE/SERVICES/WMA/wma_nan_datapath.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -487,6 +487,18 @@
 	fixed_params =
 		(wmi_ndp_indication_event_fixed_param *)event->fixed_param;
 
+	if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) {
+		WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d",
+			 fixed_params->ndp_cfg_len, event->num_ndp_cfg);
+		return -EINVAL;
+	}
+
+	if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) {
+		WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d",
+			 fixed_params->ndp_app_info_len, event->num_ndp_app_info);
+		return -EINVAL;
+	}
+
 	ind_event = vos_mem_malloc(sizeof(*ind_event));
 	if (!ind_event) {
 		WMA_LOGP(FL("Failed to allocate memory"));
@@ -648,10 +660,20 @@
 		 fixed_params->reason_code,
 		 fixed_params->num_active_ndps_on_peer);
 
+	if (fixed_params->ndp_cfg_len > event->num_ndp_cfg) {
+		WMA_LOGE("FW message ndp cfg length %d larger than TLV hdr %d",
+			 fixed_params->ndp_cfg_len, event->num_ndp_cfg);
+		return -EINVAL;
+	}
 	WMA_LOGE(FL("ndp_cfg - %d bytes"), fixed_params->ndp_cfg_len);
 	VOS_TRACE_HEX_DUMP(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_DEBUG,
 		&event->ndp_cfg, fixed_params->ndp_cfg_len);
 
+	if (fixed_params->ndp_app_info_len > event->num_ndp_app_info) {
+		WMA_LOGE("FW message ndp app info length %d more than TLV hdr %d",
+			 fixed_params->ndp_app_info_len, event->num_ndp_app_info);
+		return -EINVAL;
+	}
 	WMA_LOGE(FL("ndp_app_info - %d bytes"), fixed_params->ndp_app_info_len);
 	VOS_TRACE_HEX_DUMP(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_DEBUG,
 		&event->ndp_app_info, fixed_params->ndp_app_info_len);