2017-11-07 17:32:46 -05:00

46 lines
1.6 KiB
Diff

From f35ce58f516c15c022745d687bb1c59ffab63293 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Wed, 24 May 2017 10:11:27 -0700
Subject: net: wireless: bcmdhd: add boundary check in dhd_rtt_event_handler
added boundary check for input parameters not to corrupt kernel heap in
case user injected malformed input
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37305578
Change-Id: I92114d7166fb68d8d97b33ea214f80e8917794d1
---
drivers/net/wireless/bcmdhd/dhd_rtt.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/wireless/bcmdhd/dhd_rtt.c b/drivers/net/wireless/bcmdhd/dhd_rtt.c
index 371328a..34b05be 100644
--- a/drivers/net/wireless/bcmdhd/dhd_rtt.c
+++ b/drivers/net/wireless/bcmdhd/dhd_rtt.c
@@ -1696,6 +1696,10 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data)
return ret;
}
}
+ if (!event_data) {
+ DHD_ERROR(("%s: event_data:NULL\n", __FUNCTION__));
+ return -EINVAL;
+ }
p_event = (wl_proxd_event_t *) event_data;
version = ltoh16(p_event->version);
if (version < WL_PROXD_API_VERSION) {
@@ -1718,6 +1722,11 @@ dhd_rtt_event_handler(dhd_pub_t *dhd, wl_event_msg_t *event, void *event_data)
goto exit; /* ignore this event */
}
/* get TLVs len, skip over event header */
+ if (ltoh16(p_event->len) < OFFSETOF(wl_proxd_event_t, tlvs)) {
+ DHD_ERROR(("invalid FTM event length:%d\n", ltoh16(p_event->len)));
+ ret = -EINVAL;
+ goto exit;
+ }
tlvs_len = ltoh16(p_event->len) - OFFSETOF(wl_proxd_event_t, tlvs);
DHD_RTT(("receive '%s' event: version=0x%x len=%d method=%d sid=%d tlvs_len=%d\n",
p_loginfo->text,
--
cgit v1.1