DivestOS/Patches/Linux_CVEs/CVE-2016-8466/1.patch

From 4af032a458109027c88c478c800aac97a7105250 Mon Sep 17 00:00:00 2001
From: Ram Sripathi <ram.sripathi@broadcom.com>
Date: Fri, 4 Nov 2016 15:44:14 -0700
Subject: net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl

handled heap overwrite with checks

Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
Bug: 31822524
Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
---
 drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
index 8d7d4bf..e6e2848 100644
--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
@@ -2493,22 +2493,24 @@ static int
 dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
 {
 	dhd_prot_t *prot = dhd->prot;
-
 	int ret = 0;
 
-	DHD_TRACE(("%s: Enter\n", __FUNCTION__));
-
-	/* Respond "bcmerror" and "bcmerrorstr" with local cache */
-	if (cmd == WLC_GET_VAR && buf)
-	{
-		if (!strcmp((char *)buf, "bcmerrorstr"))
-		{
-			strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
+	DHD_TRACE(("%s: Enter\n", __func__));
+	if (!buf || !len) {
+		DHD_ERROR(("%s(): Zero length bailing\n", __func__));
+		ret = BCME_BADARG;
+		goto done;
+	}
+	if (cmd == WLC_GET_VAR) {
+		/* Respond "bcmerror" and "bcmerrorstr" with local cache */
+		if ((len > strlen("bcmerrorstr")) &&
+		    !strcmp(buf, "bcmerrorstr")) {
+			strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
 			goto done;
-		}
-		else if (!strcmp((char *)buf, "bcmerror"))
-		{
-			*(int *)buf = dhd->dongle_error;
+		} else if ((len > strlen("bcmerror")) &&
+			   !strcmp(buf, "bcmerror")) {
+			memcpy(buf, &dhd->dongle_error,
+			       sizeof(dhd->dongle_error));
 			goto done;
 		}
 	}
-- 
cgit v1.1