From f31e58289c8ebded58ffe1d4709e2f878765b0a6 Mon Sep 17 00:00:00 2001 From: Amarnath Hullur Subramanyam Date: Wed, 28 Oct 2015 17:38:59 -0700 Subject: [PATCH] qcacld 2.0: Address buffer overflow due to invalid length prima to qcacld-2.0 propagation Check for valid length before copying the packet filter data from userspace buffer to kernel space buffer to avoid buffer overflow issue. CRs-Fixed: 930533 Git-commit: a079d716b5481223f0166c644e9ec7c75a31b02c Bug: 25344453 Signed-off-by: Amarnath Hullur Subramanyam --- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c index 93136df4e2480..0b1ee2477e158 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c @@ -8376,6 +8376,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest, hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d", pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength); + if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) < + (pRequest->paramsData[i].dataLength)) + return -EINVAL; memcpy(&packetFilterSetReq.paramsData[i].compareData, pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);