Heap-buffer-overflow in send_nl_data() of wifi hal am: 0a1b211537
Change-Id: Iddb8478deffb744e5d0d586ab5174927a3a667c3
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index cb82885..cb770ee 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1112,6 +1112,12 @@
goto nl_out;
}
+ if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+ {
+ ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+ retval = -1;
+ goto nl_out;
+ }
memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
if(ctrl_msg->family_name == GENERIC_NL_FAMILY)