diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-03-26 19:51:19 +0800 |
|---|---|---|
| committer | tinlin <tinlin@codeaurora.org> | 2018-03-26 20:16:40 +0800 |
| commit | c4de9154895c61d19cbe33e03d99c67ea664fa2b (patch) | |
| tree | 6f8b0c4d969642a87b982277336ef69e657eda16 /tools/perf/scripts/python/syscall-counts.py | |
| parent | 778ac228dd627296fc5ea5d43eddc492c0cafd8d (diff) | |
qcacld-2.0: Fix OOB write in wma_passpoint_match_event_handler
Propagation from cld3.0 to cld2.0.
In the function wma_passpoint_match_event_handler, fixed param event data
from firmware is filled in the destination buffer and indication is sent
to upper layers. The buffer allocation is done for the size
(wmi_passpoint_event_hdr*) + event->ie_length + event->anqp_length. The
maximum firmware event message size is WMI_SVC_MSG_MAX_SIZE. If either,
ie_length and anqp_length combined is greater than WMI_SVC_MSG_MAX_SIZE or
either of the two exceeds WMI_SVC_MSG_MAC_SIZE, an OOB write will occur in
wma_passpoint_match_event_handler.
Add check to ensure either of the values ie_length or anqp_lenth or
(ie_length + anqp_length) doesnt exceed the WMI_SVC_MAX_SIZE. Return
failure if it exceeds.
Change-Id: I21f473ca0b99ebb8488f2cca3c0774817ea97c3a
CRs-Fixed: 2212696
Diffstat (limited to 'tools/perf/scripts/python/syscall-counts.py')
0 files changed, 0 insertions, 0 deletions