Merge "qcacld-3.0: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler" into android-msm-bluecross-4.9-pi-qpr1
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c
index b567e63..9ae9646 100644
--- a/core/wma/src/wma_features.c
+++ b/core/wma/src/wma_features.c
@@ -10777,7 +10777,9 @@
encrypt_decrypt_rsp_params.vdev_id = data_event->vdev_id;
encrypt_decrypt_rsp_params.status = data_event->status;
- if (data_event->data_length > param_buf->num_enc80211_frame) {
+ if ((data_event->data_length > param_buf->num_enc80211_frame) ||
+ (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE -
+ sizeof(*data_event))) {
WMA_LOGE("FW msg data_len %d more than TLV hdr %d",
data_event->data_length,
param_buf->num_enc80211_frame);