Heap-buffer-overflow in send_nl_data() of wifi hal am: 0a1b211537
Change-Id: I694e87918f034d686a969e0d61a2a3e5f7cb2b9c
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 3823439..2a6a9e9 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1112,6 +1112,12 @@
goto nl_out;
}
+ if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+ {
+ ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+ retval = -1;
+ goto nl_out;
+ }
memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
if(ctrl_msg->family_name == GENERIC_NL_FAMILY)