DivestOS/Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch
2017-10-29 22:14:37 -04:00

34 lines
1.6 KiB
Diff

From f31e58289c8ebded58ffe1d4709e2f878765b0a6 Mon Sep 17 00:00:00 2001
From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
Date: Wed, 28 Oct 2015 17:38:59 -0700
Subject: [PATCH] qcacld 2.0: Address buffer overflow due to invalid length
prima to qcacld-2.0 propagation
Check for valid length before copying the packet filter data from
userspace buffer to kernel space buffer to avoid buffer overflow
issue.
CRs-Fixed: 930533
Git-commit: a079d716b5481223f0166c644e9ec7c75a31b02c
Bug: 25344453
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
---
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
index 93136df4e2480..0b1ee2477e158 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
@@ -8376,6 +8376,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
+ if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+ (pRequest->paramsData[i].dataLength))
+ return -EINVAL;
memcpy(&packetFilterSetReq.paramsData[i].compareData,
pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);