1e1238e1249e2ed611c7acc6d36617667b57d98f - kernel/msm-modules/qca-wfi-host-cmn

commit	1e1238e1249e2ed611c7acc6d36617667b57d98f	[log] [tgz]
author	abhinav kumar <abhikuma@codeaurora.org>	Wed Aug 11 22:19:11 2021 +0530
committer	Hsiu Chang Chen <hsiuchangchen@google.com>	Tue Nov 23 02:12:56 2021 +0000
tree	6daadbaae55f59f21ed45798dcec505a04b1743f
parent	8eadb5e4d5d7d3cb24be84a90a43569dcc62a3bd [diff]

qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handler

API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for
the event with WMI_OEM_RESPONSE_EVENTID. Host receives
"rsp->dma_len" from fw. The integer overflow occurs if
"oem_rsp->dma_len" is big enough while calculating the total
length of the Oem Data response buffer.

Fix is to add a sanity check for rsp->dma_len to avoid integer
overflow.

Bug: 203032261
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Idfbd358f62534eae0147f03505ced5728877a269
CRs-Fixed: 3001191

target_if/wifi_pos/src/target_if_wifi_pos.c[diff]
umac/wifi_pos/src/wifi_pos_utils_i.h[diff]

2 files changed

tree: 6daadbaae55f59f21ed45798dcec505a04b1743f

cfg/
dp/
ftm/
global_lmac_if/
hal/
hif/
htc/
init_deinit/
os_if/
qal/
qdf/
scheduler/
spectral/
target_if/
umac/
utils/
wbuff/
wlan_cfg/
wmi/
OWNERS
README.txt
VERSION.txt