mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 06:59:27 -05:00
54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
From 3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3 Mon Sep 17 00:00:00 2001
|
|
From: Insun Song <insun.song@broadcom.com>
|
|
Date: Tue, 31 Jan 2017 16:18:40 -0800
|
|
Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
|
|
wl_android_set_roampref
|
|
|
|
added boundary check not to override allocated buffer.
|
|
Specially when user input corrupted or manipulated.
|
|
|
|
Signed-off-by: Insun Song <insun.song@broadcom.com>
|
|
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
|
|
Bug: 34469904
|
|
---
|
|
drivers/net/wireless/bcmdhd/wl_android.c | 12 ++++++++++--
|
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
|
|
index 46b00bd913835..c415bfcba0f6a 100644
|
|
--- a/drivers/net/wireless/bcmdhd/wl_android.c
|
|
+++ b/drivers/net/wireless/bcmdhd/wl_android.c
|
|
@@ -936,8 +936,8 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
|
|
uint8 buf[MAX_BUF_SIZE];
|
|
uint8 *pref = buf;
|
|
char *pcmd;
|
|
- int num_ucipher_suites = 0;
|
|
- int num_akm_suites = 0;
|
|
+ uint num_ucipher_suites;
|
|
+ uint num_akm_suites;
|
|
wpa_suite_t ucipher_suites[MAX_NUM_SUITES];
|
|
wpa_suite_t akm_suites[MAX_NUM_SUITES];
|
|
int num_tuples = 0;
|
|
@@ -950,6 +950,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
|
|
total_len_left = total_len - strlen(CMD_SET_ROAMPREF) + 1;
|
|
|
|
num_akm_suites = simple_strtoul(pcmd, NULL, 16);
|
|
+ if (num_akm_suites > MAX_NUM_SUITES) {
|
|
+ WL_ERR(("wrong num_akm_suites:%d.\n", num_akm_suites));
|
|
+ return BCME_ERROR;
|
|
+ }
|
|
/* Increment for number of AKM suites field + space */
|
|
pcmd += 3;
|
|
total_len_left -= 3;
|
|
@@ -975,6 +979,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
|
|
|
|
total_len_left -= (num_akm_suites * WIDTH_AKM_SUITE);
|
|
num_ucipher_suites = simple_strtoul(pcmd, NULL, 16);
|
|
+ if (num_ucipher_suites > MAX_NUM_SUITES) {
|
|
+ WL_ERR(("wrong num_ucipher_suites:%d.\n", num_ucipher_suites));
|
|
+ return BCME_ERROR;
|
|
+ }
|
|
/* Increment for number of cipher suites field + space */
|
|
pcmd += 3;
|
|
total_len_left -= 3;
|