DivestOS/Patches/Linux_CVEs/CVE-2016-8466/3.10/0.patch

From 67d429b1cb87879c33df58febc0b7bf6712bc7c0 Mon Sep 17 00:00:00 2001
From: Ram Sripathi <ram.sripathi@broadcom.com>
Date: Fri, 4 Nov 2016 15:44:14 -0700
Subject: [PATCH] net: wireless: bcmdhd: Heap over write in
 dhdmsgbuf_query_ioctl

handled heap overwrite with checks

Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
Bug: 31822524
Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
---
 drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
index cb5018c52f10b..90f9733a7e36c 100644
--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
@@ -2612,22 +2612,24 @@ static int
 dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
 {
 	dhd_prot_t *prot = dhd->prot;
-
 	int ret = 0;
 
-	DHD_TRACE(("%s: Enter\n", __FUNCTION__));
-
-	/* Respond "bcmerror" and "bcmerrorstr" with local cache */
-	if (cmd == WLC_GET_VAR && buf)
-	{
-		if (!strcmp((char *)buf, "bcmerrorstr"))
-		{
-			strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
+	DHD_TRACE(("%s: Enter\n", __func__));
+	if (!buf || !len) {
+		DHD_ERROR(("%s(): Zero length bailing\n", __func__));
+		ret = BCME_BADARG;
+		goto done;
+	}
+	if (cmd == WLC_GET_VAR) {
+		/* Respond "bcmerror" and "bcmerrorstr" with local cache */
+		if ((len > strlen("bcmerrorstr")) &&
+		    !strcmp(buf, "bcmerrorstr")) {
+			strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
 			goto done;
-		}
-		else if (!strcmp((char *)buf, "bcmerror"))
-		{
-			*(int *)buf = dhd->dongle_error;
+		} else if ((len > strlen("bcmerror")) &&
+			   !strcmp(buf, "bcmerror")) {
+			memcpy(buf, &dhd->dongle_error,
+			       sizeof(dhd->dongle_error));
 			goto done;
 		}
 	}
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 67d429b1cb87879c33df58febc0b7bf6712bc7c0 Mon Sep 17 00:00:00 2001`
			`From: Ram Sripathi <ram.sripathi@broadcom.com>`
			`Date: Fri, 4 Nov 2016 15:44:14 -0700`
			`Subject: [PATCH] net: wireless: bcmdhd: Heap over write in`
			`dhdmsgbuf_query_ioctl`

			`handled heap overwrite with checks`

			`Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31`
			`Bug: 31822524`
			`Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>`
			`---`
			`drivers/net/wireless/bcmdhd/dhd_msgbuf.c \| 28 +++++++++++++++-------------`
			`1 file changed, 15 insertions(+), 13 deletions(-)`

			`diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c`
			`index cb5018c52f10b..90f9733a7e36c 100644`
			`--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c`
			`+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c`
			`@@ -2612,22 +2612,24 @@ static int`
			`dhdmsgbuf_query_ioctl(dhd_pub_t dhd, int ifidx, uint cmd, void buf, uint len, uint8 action)`
			`{`
			`dhd_prot_t *prot = dhd->prot;`
			`-`
			`int ret = 0;`

			`- DHD_TRACE(("%s: Enter\n", __FUNCTION__));`
			`-`
			`- /* Respond "bcmerror" and "bcmerrorstr" with local cache */`
			`- if (cmd == WLC_GET_VAR && buf)`
			`- {`
			`- if (!strcmp((char *)buf, "bcmerrorstr"))`
			`- {`
			`- strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);`
			`+ DHD_TRACE(("%s: Enter\n", __func__));`
			`+ if (!buf \|\| !len) {`
			`+ DHD_ERROR(("%s(): Zero length bailing\n", __func__));`
			`+ ret = BCME_BADARG;`
			`+ goto done;`
			`+ }`
			`+ if (cmd == WLC_GET_VAR) {`
			`+ /* Respond "bcmerror" and "bcmerrorstr" with local cache */`
			`+ if ((len > strlen("bcmerrorstr")) &&`
			`+ !strcmp(buf, "bcmerrorstr")) {`
			`+ strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);`
			`goto done;`
			`- }`
			`- else if (!strcmp((char *)buf, "bcmerror"))`
			`- {`
			`- (int )buf = dhd->dongle_error;`
			`+ } else if ((len > strlen("bcmerror")) &&`
			`+ !strcmp(buf, "bcmerror")) {`
			`+ memcpy(buf, &dhd->dongle_error,`
			`+ sizeof(dhd->dongle_error));`
			`goto done;`
			`}`
			`}`