Heap-buffer-overflow in send_nl_data() of wifi hal am: 0a1b211537 am: 959e96762c am: 862ef20479
Change-Id: I5780b15f8ba0dcfe6f940e52618b99d213199d05
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 3823439..2a6a9e9 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1112,6 +1112,12 @@
goto nl_out;
}
+ if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+ {
+ ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+ retval = -1;
+ goto nl_out;
+ }
memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
if(ctrl_msg->family_name == GENERIC_NL_FAMILY)