Merge "[qca-ssdk]: Avoid memory overflow in sw_api_ks_netlink.c"
diff --git a/src/sal/sd/linux/uk_interface/sw_api_ks_netlink.c b/src/sal/sd/linux/uk_interface/sw_api_ks_netlink.c
index 97741d6..145c7cd 100755
--- a/src/sal/sd/linux/uk_interface/sw_api_ks_netlink.c
+++ b/src/sal/sd/linux/uk_interface/sw_api_ks_netlink.c
@@ -314,6 +314,11 @@
#endif
}
+ if(nlh->nlmsg_len < (SW_MAX_PAYLOAD + sizeof(nlmsghdr)))
+ {
+ dprintk("data length is less than %d bytes\n", SW_MAX_PAYLOAD);
+ SW_OUT_ON_ERROR(SW_ABORTED);
+ }
aos_mem_copy(args, NLMSG_DATA(nlh), SW_MAX_PAYLOAD);
/* return API result to user */
rtn = (a_uint32_t) rv;
@@ -384,6 +389,11 @@
#endif
}
+ if(nlh->nlmsg_len < (SW_MAX_PAYLOAD + sizeof(nlmsghdr)))
+ {
+ dprintk("data length is less than %d bytes\n", SW_MAX_PAYLOAD);
+ SW_OUT_ON_ERROR(SW_ABORTED);
+ }
aos_mem_copy(args, NLMSG_DATA(nlh), SW_MAX_PAYLOAD);
rv = sw_api_cmd(args);
@@ -506,6 +516,11 @@
}
dst_pid = nlh->nlmsg_pid;
+ if(nlh->nlmsg_len < (SW_MAX_PAYLOAD + sizeof(nlmsghdr)))
+ {
+ dprintk("data length is less than %d bytes\n", SW_MAX_PAYLOAD);
+ SW_OUT_ON_ERROR(SW_ABORTED);
+ }
aos_mem_copy(args, NLMSG_DATA(nlh), SW_MAX_PAYLOAD);
/* return API result to user */
rtn = (a_uint32_t) rv;
@@ -574,6 +589,11 @@
}
dst_pid = nlh->nlmsg_pid;
+ if(nlmsglen < (SW_MAX_PAYLOAD + sizeof(nlmsghdr)))
+ {
+ dprintk("data length is less than %d bytes\n", SW_MAX_PAYLOAD);
+ SW_OUT_ON_ERROR(SW_ABORTED);
+ }
aos_mem_copy(args, NLMSG_DATA(nlh), SW_MAX_PAYLOAD);
rv = sw_api_cmd(args);