mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 15:09:34 -05:00
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From ddf864f37134df0960d337ff16e6f2435b4fe90c Mon Sep 17 00:00:00 2001
|
|
From: Manjeet Singh <manjee@codeaurora.org>
|
|
Date: Fri, 10 Feb 2017 19:03:38 +0530
|
|
Subject: wlan: Add buf len check in wlan_hdd_cfg80211_testmode
|
|
|
|
In __wlan_hdd_cfg80211_testmode API no checks are in place that
|
|
ensure that buflen is smaller or equal the size of the stack
|
|
variable hb_params. Hence, the vos_mem_copy() call can overflow
|
|
stack memory.
|
|
|
|
Add buf len check to avoid stack overflow.
|
|
|
|
CRs-Fixed: 1105085
|
|
Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
|
|
---
|
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index 81c3944..0c0bca2 100644
|
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -16424,6 +16424,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len
|
|
buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
|
|
buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
|
|
|
|
+ if (buf_len > sizeof(*hb_params)) {
|
|
+ hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
|
|
+ buf_len);
|
|
+ return -ERANGE;
|
|
+ }
|
|
+
|
|
hb_params_temp =(tSirLPHBReq *)buf;
|
|
if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) &&
|
|
(hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
|
|
--
|
|
cgit v1.1
|
|
|