From a0ae6f0e9f74f1ae36509ea3adc52f51610dd335 Mon Sep 17 00:00:00 2001
From: tinlin <tinlin@codeaurora.org>
Date: Thu, 11 Jan 2018 15:45:27 +0800
Subject: [PATCH] qcacld-2.0: Add data_len check to avoid OOB access

Add data_len check in wma_nan_rsp_event_handler()
to avoid OOB access.

Bug: 74237168
Change-Id: Iff42da84567381a4b64bc07e69ff1a0cd4b5a543
CRs-Fixed: 2170630
---
 drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index cd22e595b2cf..c94b701043f6 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -6521,7 +6521,8 @@ static int wma_nan_rsp_event_handler(void *handle, u_int8_t *event_buf,
 	alloc_len = sizeof(tSirNanEvent);
 	alloc_len += nan_rsp_event_hdr->data_len;
 	if (nan_rsp_event_hdr->data_len > ((WMA_SVC_MSG_MAX_SIZE -
-	    sizeof(*nan_rsp_event_hdr)) / sizeof(u_int8_t))) {
+	    sizeof(*nan_rsp_event_hdr)) / sizeof(u_int8_t)) ||
+	    nan_rsp_event_hdr->data_len > param_buf->num_data)  {
 		WMA_LOGE("excess data length:%d", nan_rsp_event_hdr->data_len);
 		VOS_ASSERT(0);
 		return -EINVAL;
-- 
GitLab