From f35ce58f516c15c022745d687bb1c59ffab63293 Mon Sep 17 00:00:00 2001 From: Insun Song Date: Wed, 24 May 2017 10:11:27 -0700 Subject: net: wireless: bcmdhd: add boundary check in dhd_rtt_event_handler added boundary check for input parameters not to corrupt kernel heap in case user injected malformed input Signed-off-by: Insun Song Bug: 37305578 Change-Id: I92114d7166fb68d8d97b33ea214f80e8917794d1 --- drivers/net/wireless/bcmdhd/dhd_rtt.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/wireless/bcmdhd/dhd_rtt.c b/drivers/net/wireless/bcmdhd/dhd_rtt.c index 371328a..34b05be 100644 --- a/drivers/net/wireless/bcmdhd/dhd_rtt.c +++ b/drivers/net/wireless/bcmdhd/dhd_rtt.c @@ -1696,6 +1696,10 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data) return ret; } } + if (!event_data) { + DHD_ERROR(("%s: event_data:NULL\n", __FUNCTION__)); + return -EINVAL; + } p_event = (wl_proxd_event_t *) event_data; version = ltoh16(p_event->version); if (version < WL_PROXD_API_VERSION) { @@ -1718,6 +1722,11 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data) goto exit; /* ignore this event */ } /* get TLVs len, skip over event header */ + if (ltoh16(p_event->len) < OFFSETOF(wl_proxd_event_t, tlvs)) { + DHD_ERROR(("invalid FTM event length:%d\n", ltoh16(p_event->len))); + ret = -EINVAL; + goto exit; + } tlvs_len = ltoh16(p_event->len) - OFFSETOF(wl_proxd_event_t, tlvs); DHD_RTT(("receive '%s' event: version=0x%x len=%d method=%d sid=%d tlvs_len=%d\n", p_loginfo->text, -- cgit v1.1