DivestOS/Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch
2017-11-07 17:32:46 -05:00

58 lines
1.8 KiB
Diff

From 67d429b1cb87879c33df58febc0b7bf6712bc7c0 Mon Sep 17 00:00:00 2001
From: Ram Sripathi <ram.sripathi@broadcom.com>
Date: Fri, 4 Nov 2016 15:44:14 -0700
Subject: [PATCH] net: wireless: bcmdhd: Heap over write in
dhdmsgbuf_query_ioctl
handled heap overwrite with checks
Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
Bug: 31822524
Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
---
drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
index cb5018c52f10b..90f9733a7e36c 100644
--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
@@ -2612,22 +2612,24 @@ static int
dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
{
dhd_prot_t *prot = dhd->prot;
-
int ret = 0;
- DHD_TRACE(("%s: Enter\n", __FUNCTION__));
-
- /* Respond "bcmerror" and "bcmerrorstr" with local cache */
- if (cmd == WLC_GET_VAR && buf)
- {
- if (!strcmp((char *)buf, "bcmerrorstr"))
- {
- strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
+ DHD_TRACE(("%s: Enter\n", __func__));
+ if (!buf || !len) {
+ DHD_ERROR(("%s(): Zero length bailing\n", __func__));
+ ret = BCME_BADARG;
+ goto done;
+ }
+ if (cmd == WLC_GET_VAR) {
+ /* Respond "bcmerror" and "bcmerrorstr" with local cache */
+ if ((len > strlen("bcmerrorstr")) &&
+ !strcmp(buf, "bcmerrorstr")) {
+ strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
goto done;
- }
- else if (!strcmp((char *)buf, "bcmerror"))
- {
- *(int *)buf = dhd->dongle_error;
+ } else if ((len > strlen("bcmerror")) &&
+ !strcmp(buf, "bcmerror")) {
+ memcpy(buf, &dhd->dongle_error,
+ sizeof(dhd->dongle_error));
goto done;
}
}