From a2959858f428acfca3ca4c61d3c10b446bfe9b60 Mon Sep 17 00:00:00 2001 From: Manjeet Singh Date: Tue, 3 Jan 2017 12:08:10 +0530 Subject: qcacld-3.0: Add buf len check in wlan_hdd_cfg80211_testmode qcacld-2.0 to qcacld-3.0 propagation. In __wlan_hdd_cfg80211_testmode API no checks are in place that ensure that buflen is smaller or equal the size of the stack variable hb_params. Hence, the vos_mem_copy() call can overflow stack memory. Add buf len check to avoid stack overflow CRs-Fixed: 1105085 Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c --- core/hdd/src/wlan_hdd_cfg80211.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 98b0012..1f34e4c 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -14974,6 +14974,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, timePeriodSec == 0)) return -EINVAL; + if (buf_len > sizeof(*hb_params)) { + hdd_err("buf_len=%d exceeded hb_params size limit", + buf_len); + return -ERANGE; + } + hb_params = (tSirLPHBReq *) qdf_mem_malloc(sizeof(tSirLPHBReq)); if (NULL == hb_params) { -- cgit v1.1