From 0ffca4f7bca3a8157d8dbaddbcea292c267fb5aa Mon Sep 17 00:00:00 2001 From: Mahesh A Saptasagar Date: Tue, 27 Oct 2015 15:40:18 +0530 Subject: wlan: Address buffer overflow due to invalid length Check for valid length before copying the packet filter data from userspace buffer to kernel space buffer to avoid buffer overflow issue. Change-Id: I9548727543b903b5eaafa25c6184615d511ca99d CRs-Fixed: 930533 --- CORE/HDD/src/wlan_hdd_wext.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c index c38563d..79dde24 100644 --- a/CORE/HDD/src/wlan_hdd_wext.c +++ b/CORE/HDD/src/wlan_hdd_wext.c @@ -8401,6 +8401,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest, hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d", pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength); + if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) < + (pRequest->paramsData[i].dataLength)) + return -EINVAL; memcpy(&packetFilterSetReq.paramsData[i].compareData, pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength); -- cgit v1.1