From 579e796cb089324c55e0e689a180575ba81b23d9 Mon Sep 17 00:00:00 2001
From: Anand Kumar <anandkumar@codeaurora.org>
Date: Tue, 21 Jun 2016 17:36:05 +0530
Subject: wcnss: Avoid user buffer overloading for write cal data

compare size of allocated cal data buffer from heap
and count bytes provided to write by user to avoid
heap overflow for write cal data.

Change-Id: Id70c3230f761385489e5e94c613f4519239dfb1f
CRs-Fixed: 1032174
Signed-off-by: Anand Kumar <anandkumar@codeaurora.org>
---
 drivers/net/wireless/wcnss/wcnss_wlan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c
index 86f3a48..3f9eeab 100644
--- a/drivers/net/wireless/wcnss/wcnss_wlan.c
+++ b/drivers/net/wireless/wcnss/wcnss_wlan.c
@@ -3339,7 +3339,7 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user
 		return -EFAULT;
 
 	if ((UINT32_MAX - count < penv->user_cal_rcvd) ||
-	     MAX_CALIBRATED_DATA_SIZE < count + penv->user_cal_rcvd) {
+		(penv->user_cal_exp_size < count + penv->user_cal_rcvd)) {
 		pr_err(DEVICE " invalid size to write %zu\n", count +
 				penv->user_cal_rcvd);
 		rc = -ENOMEM;
-- 
cgit v1.1