release-request-c72e46fd-06a9-4104-bad3-f7ba8aeb3e1d-for-git_oc-release-4029917 snap-temp-L38800000066299680
Change-Id: Ia2f72c6b129b95b98eeed789961231e792619024
diff --git a/qcwcn/wifi_hal/wifilogger_diag.cpp b/qcwcn/wifi_hal/wifilogger_diag.cpp
index 5e9227b..d131102 100644
--- a/qcwcn/wifi_hal/wifilogger_diag.cpp
+++ b/qcwcn/wifi_hal/wifilogger_diag.cpp
@@ -2251,6 +2251,7 @@
}
} else if (cmd == ANI_NL_MSG_CNSS_DIAG) {
uint16_t diag_fw_type;
+ struct nlmsghdr *nlh = nlmsg_hdr(msg);
if (!info->cldctx) {
buf = (uint8_t *)NLMSG_DATA(wnl) + sizeof(wnl->clh.radio);
@@ -2268,6 +2269,12 @@
wnl->nlh.nlmsg_len);
return WIFI_ERROR_UNKNOWN;
}
+ } else {
+ if (nlh->nlmsg_len <= NLMSG_HDRLEN + sizeof(dbglog_slot)) {
+ ALOGE("Received CNSS_DIAG message with insufficent length: %d: %s:%d",
+ nlh->nlmsg_len, __FUNCTION__, __LINE__);
+ return WIFI_ERROR_UNKNOWN;
+ }
}
diag_fw_type = event_hdr->diag_type;
if (diag_fw_type == DIAG_TYPE_FW_MSG) {
@@ -2275,6 +2282,16 @@
u16 length = 0;
slot = (dbglog_slot *)buf;
+ if (nlh->nlmsg_len < (NLMSG_HDRLEN + sizeof(dbglog_slot) +
+ slot->length)) {
+ ALOGE("Received CNSS_DIAG message with insufficent length: %d:"
+ " expected: %zu, %s:%d",
+ nlh->nlmsg_len,
+ (NLMSG_HDRLEN + sizeof(dbglog_slot) +slot->length),
+ __FUNCTION__,
+ __LINE__);
+ return WIFI_ERROR_UNKNOWN;
+ }
length = get_le32((u8 *)&slot->length);
process_fw_diag_msg(info, &slot->payload[0], length);
}