Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15 SBMerger: 610748217 Change-Id: Icfd1d8998bb641e83bc28e548e1647960bd85e83 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

commit: 4689f3747d62ae9ce240e018f2304c597aad98cd [log] [tgz]
author: PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> Sun Mar 03 18:41:36 2024 -0800
committer: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> Sun Mar 03 18:41:37 2024 -0800
tree: e881b9ed0141532231234de1bf6b7a0351d973c5
parent: 1beb5ab50a4d4526646c5b89c18b68d83bf09d2c [diff]
parent: 64492487aeff10809ecd9229222e04ccb06ecb17 [diff]
diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c
index ecbdd10..6d42469 100644
--- a/dhd_msgbuf.c
+++ b/dhd_msgbuf.c

@@ -12483,10 +12483,13 @@
 	rqstlen = len;
 	resplen = len;
 
-	/* Limit ioct request to MSGBUF_MAX_MSG_SIZE bytes including hdrs */
-	/* 8K allocation of dongle buffer fails */
-	/* dhd doesnt give separate input & output buf lens */
-	/* so making the assumption that input length can never be more than 2k */
+	/* fail 'set' ioctl request if len > MSGBUF_MAX_MSG_SIZE bytes including hdrs */
+	if ((action & WL_IOCTL_ACTION_SET) && (rqstlen > MSGBUF_IOCTL_MAX_RQSTLEN)) {
+		DHD_ERROR(("%s: rqstlen(%u) larger than %u\n", __FUNCTION__, rqstlen,
+			MSGBUF_IOCTL_MAX_RQSTLEN));
+		return BCME_BADLEN;
+	}
+
 	rqstlen = MIN(rqstlen, MSGBUF_IOCTL_MAX_RQSTLEN);
 
 #ifdef PCIE_INB_DW
commit	4689f3747d62ae9ce240e018f2304c597aad98cd	[log] [tgz]
author	PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com>	Sun Mar 03 18:41:36 2024 -0800
committer	SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>	Sun Mar 03 18:41:37 2024 -0800
tree	e881b9ed0141532231234de1bf6b7a0351d973c5
parent	1beb5ab50a4d4526646c5b89c18b68d83bf09d2c [diff]
parent	64492487aeff10809ecd9229222e04ccb06ecb17 [diff]