From ddf864f37134df0960d337ff16e6f2435b4fe90c Mon Sep 17 00:00:00 2001 From: Manjeet Singh Date: Fri, 10 Feb 2017 19:03:38 +0530 Subject: wlan: Add buf len check in wlan_hdd_cfg80211_testmode In __wlan_hdd_cfg80211_testmode API no checks are in place that ensure that buflen is smaller or equal the size of the stack variable hb_params. Hence, the vos_mem_copy() call can overflow stack memory. Add buf len check to avoid stack overflow. CRs-Fixed: 1105085 Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c --- CORE/HDD/src/wlan_hdd_cfg80211.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index 81c3944..0c0bca2 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -16424,6 +16424,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]); buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]); + if (buf_len > sizeof(*hb_params)) { + hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"), + buf_len); + return -ERANGE; + } + hb_params_temp =(tSirLPHBReq *)buf; if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) && (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0)) -- cgit v1.1