IPACM: fix wlan-event issue from ipa-driver
In 9x35, the ipacm_event_data_wlan_ex mesg structure
is redefined to have flexible attribes and causes the
memory allocation calculation of msg buffer incorrect.
The fix is to allocate max attribes as 3 and will do
error-checking when receiving msg from wlan-driver.
Change-Id: Ia4e4dc38d96b8d6afd2c84b93c9bf9de0fc65a55
diff --git a/ipacm/src/IPACM_Main.cpp b/ipacm/src/IPACM_Main.cpp
index d52c6b3..d7347f4 100644
--- a/ipacm/src/IPACM_Main.cpp
+++ b/ipacm/src/IPACM_Main.cpp
@@ -124,7 +124,8 @@
#define INOTIFY_EVENT_SIZE (sizeof(struct inotify_event))
#define INOTIFY_BUF_LEN (INOTIFY_EVENT_SIZE + 2*sizeof(IPACM_FIREWALL_FILE_NAME))
-#define IPA_DRIVER_WLAN_EVENT_SIZE (sizeof(struct ipa_wlan_msg_ex))
+#define IPA_DRIVER_WLAN_EVENT_MAX_OF_ATTRIBS 3
+#define IPA_DRIVER_WLAN_EVENT_SIZE (sizeof(struct ipa_wlan_msg_ex)+ IPA_DRIVER_WLAN_EVENT_MAX_OF_ATTRIBS*sizeof(ipa_wlan_hdr_attrib_val))
#define IPA_DRIVER_WLAN_META_MSG (sizeof(struct ipa_msg_meta))
#define IPA_DRIVER_WLAN_BUF_LEN (IPA_DRIVER_WLAN_EVENT_SIZE + IPA_DRIVER_WLAN_META_MSG)
@@ -376,6 +377,11 @@
case WLAN_CLIENT_CONNECT_EX:
IPACMDBG("Received WLAN_CLIENT_CONNECT_EX\n");
memcpy(&event_ex_o, buffer + sizeof(struct ipa_msg_meta),sizeof(struct ipa_wlan_msg_ex));
+ if(event_ex_o.num_of_attribs > IPA_DRIVER_WLAN_EVENT_MAX_OF_ATTRIBS)
+ {
+ IPACMERR("buffer size overflow\n");
+ return NULL;
+ }
length = sizeof(ipa_wlan_msg_ex)+ event_ex_o.num_of_attribs * sizeof(ipa_wlan_hdr_attrib_val);
IPACMDBG("num_of_attribs %d, length %d\n", event_ex_o.num_of_attribs, length);
event_ex = (ipa_wlan_msg_ex *)malloc(length);