diff options
| author | jitiphil <jitiphil@codeaurora.org> | 2018-08-09 14:17:54 +0530 |
|---|---|---|
| committer | Miguel de Dios <migueldedios@google.com> | 2019-01-10 19:37:14 +0000 |
| commit | aeac61419ccd7c23c30b7057d97dcf7178e07f3a (patch) | |
| tree | 2bef341e3df7342a80f3f26c5ee17aeea4b1b110 /net/lapb/lapb_timer.c | |
| parent | d7af6a17f0fe3a94107efb1b1afdde9fb160c532 (diff) | |
qcacld-2.0: Integer overflow in wma_unified_link_peer_stats_event_handler
In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.
Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.
Bug: 112278150
Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2262294
Signed-off-by: Ecco Park <eccopark@google.com>
Diffstat (limited to 'net/lapb/lapb_timer.c')
0 files changed, 0 insertions, 0 deletions