DivestOS/Patches/Linux_CVEs/CVE-2016-3874/qcacld-2.0/0002.patch

From a3974e61c960aadcc147c3c5704a67309171642d Mon Sep 17 00:00:00 2001
From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
Date: Thu, 16 Jun 2016 13:20:35 +0530
Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command

In current driver, WE_UNIT_TEST_CMD has below problem.
- apps_arg[1] can have zero value and can lead to
  buffer overead

Change the code to handle the number of args if user has
given zero.

CRs-Fixed: 1029540
Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2
---
 CORE/HDD/src/wlan_hdd_wext.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index fd738da..33d4dfd 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -9072,7 +9072,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
                 }
                 if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) ||
                     (apps_args[1] < 0)) {
-                    hddLog(LOGE, FL("Too Many args %d"), apps_args[1]);
+                    hddLog(LOGE, FL("Too Many/Few args %d"), apps_args[1]);
                     return -EINVAL;
                 }
                 unitTestArgs = vos_mem_malloc(sizeof(*unitTestArgs));
@@ -9084,8 +9084,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
                 unitTestArgs->vdev_id            = (int)pAdapter->sessionId;
                 unitTestArgs->module_id          = apps_args[0];
                 unitTestArgs->num_args           = apps_args[1];
-                for (i = 0, j = 2; i < unitTestArgs->num_args - 1;
-                     i++, j++) {
+                for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) {
                     unitTestArgs->args[i] = apps_args[j];
                 }
                 msg.type = SIR_HAL_UNIT_TEST_CMD;
-- 
cgit v1.1