Heap-buffer-overflow in send_nl_data() of wifi hal am: 0a1b211537 am: 959e96762c am: 862ef20479 Change-Id: I5780b15f8ba0dcfe6f940e52618b99d213199d05

commit: b5443ba1ef2fc22fa25d1fdd321bb21d1e204c52 [log] [tgz]
author: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 10 02:07:01 2020 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 10 02:07:01 2020 +0000
tree: 86eda819ed736c8c47d057c709ea355d5024b8cb
parent: bacd76701205413870fdbc4581857604726ddbf5 [diff]
parent: 862ef20479eb5b7ad1b4aebc643a768281b2fd31 [diff]
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 3823439..2a6a9e9 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp

@@ -1112,6 +1112,12 @@
        goto nl_out;
     }
 
+    if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+    {
+        ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+        retval = -1;
+        goto nl_out;
+    }
     memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
 
    if(ctrl_msg->family_name == GENERIC_NL_FAMILY)
commit	b5443ba1ef2fc22fa25d1fdd321bb21d1e204c52	[log] [tgz]
author	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Mar 10 02:07:01 2020 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Mar 10 02:07:01 2020 +0000
tree	86eda819ed736c8c47d057c709ea355d5024b8cb
parent	bacd76701205413870fdbc4581857604726ddbf5 [diff]
parent	862ef20479eb5b7ad1b4aebc643a768281b2fd31 [diff]