Merge "qcacld-3.0: Fix possible buffer overflow in wma_encrypt_decrypt_msg_handler" into android-msm-bluecross-4.9-pi-qpr1

commit: 29dfedb598500f85af6fa35923b7d905cea10131 [log] [tgz]
author: Kumar Anand <kumaranand@google.com> Wed Sep 05 19:53:56 2018 +0000
committer: Android Partner Code Review <android-gerrit-partner@google.com> Wed Sep 05 19:53:56 2018 +0000
tree: 4188245ed790b2ed3333d2c84dcda3cd581422fe
parent: c458805ebab0b11ef1f69907d0cf859673d140c2 [diff]
parent: b294e31aa3af980e91dd903c788be5d55ca15e5d [diff]
diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c
index b567e63..9ae9646 100644
--- a/core/wma/src/wma_features.c
+++ b/core/wma/src/wma_features.c

@@ -10777,7 +10777,9 @@
 	encrypt_decrypt_rsp_params.vdev_id = data_event->vdev_id;
 	encrypt_decrypt_rsp_params.status = data_event->status;
 
-	if (data_event->data_length > param_buf->num_enc80211_frame) {
+	if ((data_event->data_length > param_buf->num_enc80211_frame) ||
+	    (data_event->data_length > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE -
+	     sizeof(*data_event))) {
 		WMA_LOGE("FW msg data_len %d more than TLV hdr %d",
 			 data_event->data_length,
 			 param_buf->num_enc80211_frame);
commit	29dfedb598500f85af6fa35923b7d905cea10131	[log] [tgz]
author	Kumar Anand <kumaranand@google.com>	Wed Sep 05 19:53:56 2018 +0000
committer	Android Partner Code Review <android-gerrit-partner@google.com>	Wed Sep 05 19:53:56 2018 +0000
tree	4188245ed790b2ed3333d2c84dcda3cd581422fe
parent	c458805ebab0b11ef1f69907d0cf859673d140c2 [diff]
parent	b294e31aa3af980e91dd903c788be5d55ca15e5d [diff]