evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wcnss: fix integer underflow in wcnss_wlan

Browse source 
Fix integer underflow which may eventually results in an buffer
overread in wcnss_nvbin_dnld when the firmware file size is less
than 4 Byte. Add a check on file size before performing 
arithmetic operation which avoids buffer underflow.

CRs-Fixed: 2279226
Change-Id: Ia7fdb859e8c999f8a2e81c957c7cab35ef312844
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
This commit is contained in:
Sandeep Singh 2018-10-04 15:53:23 +05:30
parent 3b8fc0b7a3
commit 5bad01206d
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/net/wireless/wcnss/wcnss_wlan.c
View file

@ -2368,6 +2368,12 @@ static void wcnss_nvbin_dnld(void)
goto out;
}
if (nv->size <= 4) {
pr_err("wcnss: %s: request_firmware failed for %s (file size = %zu)\n",
__func__, NVBIN_FILE, nv->size);
goto out;
}
/* First 4 bytes in nv blob is validity bitmap.
* We cannot validate nv, so skip those 4 bytes.
*/