Skip to content

Commit a12ebb7

Browse files
Aditya Kodukuladereference23
Aditya Kodukula
authored and
dereference23
committed
qcacld-3.0: Fix potential OOB memory access
Currently in the wma_stats_ext_event_handler(), the buf_ptr is not pointing correctly to the event data received from FW. This is leading to an OOB memory access during qdf_mem_copy(). So, to avoid this issue correctly point the buf_ptr to the event data sent by the FW in the TLV. Change-Id: Iffa3e96a6a36eff5899a7a9a7febe0ebb9d7878f CRs-Fixed: 4011656
1 parent f826e1a commit a12ebb7

1 file changed

Lines changed: 3 additions & 5 deletions

File tree

drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/*
22
* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
3-
* Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
3+
* Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
44
*
55
* Permission to use, copy, modify, and/or distribute this software for
66
* any purpose with or without fee is hereby granted, provided that the
@@ -708,7 +708,6 @@ int wma_stats_ext_event_handler(void *handle, uint8_t *event_buf,
708708
}
709709

710710
stats_ext_info = param_buf->fixed_param;
711-
buf_ptr = (uint8_t *)stats_ext_info;
712711

713712
alloc_len = sizeof(tSirStatsExtEvent);
714713
alloc_len += stats_ext_info->data_len;
@@ -725,7 +724,7 @@ int wma_stats_ext_event_handler(void *handle, uint8_t *event_buf,
725724
if (!stats_ext_event)
726725
return -ENOMEM;
727726

728-
buf_ptr += sizeof(wmi_stats_ext_event_fixed_param) + WMI_TLV_HDR_SIZE;
727+
buf_ptr = (uint8_t *)param_buf->data;
729728

730729
stats_ext_event->vdev_id = stats_ext_info->vdev_id;
731730
stats_ext_event->event_data_len = stats_ext_info->data_len;
@@ -775,7 +774,6 @@ int wma_stats_ext_event_handler(void *handle, uint8_t *event_buf,
775774
}
776775

777776
stats_ext_info = param_buf->fixed_param;
778-
buf_ptr = (uint8_t *)stats_ext_info;
779777

780778
alloc_len = sizeof(tSirStatsExtEvent);
781779
alloc_len += stats_ext_info->data_len;
@@ -791,7 +789,7 @@ int wma_stats_ext_event_handler(void *handle, uint8_t *event_buf,
791789
if (!stats_ext_event)
792790
return -ENOMEM;
793791

794-
buf_ptr += sizeof(wmi_stats_ext_event_fixed_param) + WMI_TLV_HDR_SIZE;
792+
buf_ptr = (uint8_t *)param_buf->data;
795793

796794
stats_ext_event->vdev_id = stats_ext_info->vdev_id;
797795
stats_ext_event->event_data_len = stats_ext_info->data_len;

0 commit comments

Comments
 (0)