Merge "qcacmn: Fix possible OOB access while sending NAN msg to firmware"

commit: 0b9f78fa163ff3c19fed87f470281063f03ad44e [log] [tgz]
author: Linux Build Service Account <lnxbuild@localhost> Wed May 16 00:39:39 2018 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Wed May 16 00:39:39 2018 -0700
tree: fc9ad4266aad43d11f8918116a997c2c8897bb4a
parent: 0c2076936ac7be917f8dbcceff4e87ecd88b8ef3 [diff]
parent: d30dad6ef060a17a3d65879e4db6335f13150c33 [diff]
diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c
index a50e7b2..a54d603 100644
--- a/wmi_unified_tlv.c
+++ b/wmi_unified_tlv.c

@@ -10424,6 +10424,18 @@
 	nan_data_len = nan_req->request_data_len;
 	nan_data_len_aligned = roundup(nan_req->request_data_len,
 				       sizeof(uint32_t));
+	if (nan_data_len_aligned < nan_req->request_data_len) {
+		WMI_LOGE("%s: integer overflow while rounding up data_len",
+			 __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
+	if (nan_data_len_aligned > WMI_SVC_MSG_MAX_SIZE - WMI_TLV_HDR_SIZE) {
+		WMI_LOGE("%s: wmi_max_msg_size overflow for given datalen",
+			 __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	len += WMI_TLV_HDR_SIZE + nan_data_len_aligned;
 	buf = wmi_buf_alloc(wmi_handle, len);
 	if (!buf) {
commit	0b9f78fa163ff3c19fed87f470281063f03ad44e	[log] [tgz]
author	Linux Build Service Account <lnxbuild@localhost>	Wed May 16 00:39:39 2018 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Wed May 16 00:39:39 2018 -0700
tree	fc9ad4266aad43d11f8918116a997c2c8897bb4a
parent	0c2076936ac7be917f8dbcceff4e87ecd88b8ef3 [diff]
parent	d30dad6ef060a17a3d65879e4db6335f13150c33 [diff]