DivestOS/Patches/Linux_CVEs/CVE-2017-0573/0.patch

54 lines
2.0 KiB
Diff

From 3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Tue, 31 Jan 2017 16:18:40 -0800
Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
wl_android_set_roampref
added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
Bug: 34469904
---
drivers/net/wireless/bcmdhd/wl_android.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c
index 46b00bd913835..c415bfcba0f6a 100644
--- a/drivers/net/wireless/bcmdhd/wl_android.c
+++ b/drivers/net/wireless/bcmdhd/wl_android.c
@@ -936,8 +936,8 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
uint8 buf[MAX_BUF_SIZE];
uint8 *pref = buf;
char *pcmd;
- int num_ucipher_suites = 0;
- int num_akm_suites = 0;
+ uint num_ucipher_suites;
+ uint num_akm_suites;
wpa_suite_t ucipher_suites[MAX_NUM_SUITES];
wpa_suite_t akm_suites[MAX_NUM_SUITES];
int num_tuples = 0;
@@ -950,6 +950,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
total_len_left = total_len - strlen(CMD_SET_ROAMPREF) + 1;
num_akm_suites = simple_strtoul(pcmd, NULL, 16);
+ if (num_akm_suites > MAX_NUM_SUITES) {
+ WL_ERR(("wrong num_akm_suites:%d.\n", num_akm_suites));
+ return BCME_ERROR;
+ }
/* Increment for number of AKM suites field + space */
pcmd += 3;
total_len_left -= 3;
@@ -975,6 +979,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
total_len_left -= (num_akm_suites * WIDTH_AKM_SUITE);
num_ucipher_suites = simple_strtoul(pcmd, NULL, 16);
+ if (num_ucipher_suites > MAX_NUM_SUITES) {
+ WL_ERR(("wrong num_ucipher_suites:%d.\n", num_ucipher_suites));
+ return BCME_ERROR;
+ }
/* Increment for number of cipher suites field + space */
pcmd += 3;
total_len_left -= 3;