From ddc398c5d658b5b33c23dbca617e0d1d021a5c6d Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Tue, 31 Jan 2017 14:32:12 -0800
Subject: [PATCH] qcacld-2.0: Avoid integer overflow in
 wma_enable_arp_ns_offload

In the function wma_enable_arp_ns_offload(), the len variable is
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
16 bit as input also there is no limit on input of
num_ns_offload_count.

Fix is to define the len variable in wma_enable_arp_ns_offload()
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
extended and re-defined as unsigned 32 bit. Add limit check before
using num_ns_offload_count.

Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
CRs-Fixed: 1103099
Bug: 32658595
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
 drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
 drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c                | 7 ++++++-
 drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c        | 4 ++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
index cd9f923beca83..2912d471158f7 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
  *  @return wmi_buf_t.
  */
 wmi_buf_t
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
 
 
 /**
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index 72564ac017ebe..9ca604952e03b 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -24576,7 +24576,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
 	WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param *cmd;
 	A_UINT8* buf_ptr;
 	wmi_buf_t buf;
-	int32_t len;
+	uint32_t len;
 	VOS_STATUS status = VOS_STATUS_SUCCESS;
 	u_int8_t vdev_id;
 	tpSirHostOffloadReq ns_offload_req;
@@ -24610,6 +24610,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
 		count = hostoffloadreq->num_ns_offload_count;
 	}
 
+	if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
+		status = VOS_STATUS_E_INVAL;
+		goto err_vdev;
+	}
+
 	len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
 		WMI_TLV_HDR_SIZE + /* Add size for array of NS tuples */
 		WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
index fe72942417bbc..11107d6a5b6d8 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
 }
 
 wmi_buf_t
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
 {
 	wmi_buf_t wmi_buf;