From a3974e61c960aadcc147c3c5704a67309171642d Mon Sep 17 00:00:00 2001 From: SaidiReddy Yenuga Date: Thu, 16 Jun 2016 13:20:35 +0530 Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command In current driver, WE_UNIT_TEST_CMD has below problem. - apps_arg[1] can have zero value and can lead to buffer overead Change the code to handle the number of args if user has given zero. CRs-Fixed: 1029540 Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2 --- CORE/HDD/src/wlan_hdd_wext.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c index fd738da..33d4dfd 100644 --- a/CORE/HDD/src/wlan_hdd_wext.c +++ b/CORE/HDD/src/wlan_hdd_wext.c @@ -9072,7 +9072,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev, } if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) || (apps_args[1] < 0)) { - hddLog(LOGE, FL("Too Many args %d"), apps_args[1]); + hddLog(LOGE, FL("Too Many/Few args %d"), apps_args[1]); return -EINVAL; } unitTestArgs = vos_mem_malloc(sizeof(*unitTestArgs)); @@ -9084,8 +9084,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev, unitTestArgs->vdev_id = (int)pAdapter->sessionId; unitTestArgs->module_id = apps_args[0]; unitTestArgs->num_args = apps_args[1]; - for (i = 0, j = 2; i < unitTestArgs->num_args - 1; - i++, j++) { + for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) { unitTestArgs->args[i] = apps_args[j]; } msg.type = SIR_HAL_UNIT_TEST_CMD; -- cgit v1.1