From 3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3 Mon Sep 17 00:00:00 2001 From: Insun Song Date: Tue, 31 Jan 2017 16:18:40 -0800 Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref added boundary check not to override allocated buffer. Specially when user input corrupted or manipulated. Signed-off-by: Insun Song Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085 Bug: 34469904 --- drivers/net/wireless/bcmdhd/wl_android.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c index 46b00bd913835..c415bfcba0f6a 100644 --- a/drivers/net/wireless/bcmdhd/wl_android.c +++ b/drivers/net/wireless/bcmdhd/wl_android.c @@ -936,8 +936,8 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len) uint8 buf[MAX_BUF_SIZE]; uint8 *pref = buf; char *pcmd; - int num_ucipher_suites = 0; - int num_akm_suites = 0; + uint num_ucipher_suites; + uint num_akm_suites; wpa_suite_t ucipher_suites[MAX_NUM_SUITES]; wpa_suite_t akm_suites[MAX_NUM_SUITES]; int num_tuples = 0; @@ -950,6 +950,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len) total_len_left = total_len - strlen(CMD_SET_ROAMPREF) + 1; num_akm_suites = simple_strtoul(pcmd, NULL, 16); + if (num_akm_suites > MAX_NUM_SUITES) { + WL_ERR(("wrong num_akm_suites:%d.\n", num_akm_suites)); + return BCME_ERROR; + } /* Increment for number of AKM suites field + space */ pcmd += 3; total_len_left -= 3; @@ -975,6 +979,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len) total_len_left -= (num_akm_suites * WIDTH_AKM_SUITE); num_ucipher_suites = simple_strtoul(pcmd, NULL, 16); + if (num_ucipher_suites > MAX_NUM_SUITES) { + WL_ERR(("wrong num_ucipher_suites:%d.\n", num_ucipher_suites)); + return BCME_ERROR; + } /* Increment for number of cipher suites field + space */ pcmd += 3; total_len_left -= 3;