DivestOS/Patches/Linux_CVEs/CVE-2015-0569/prima/0002.patch
2017-11-07 18:55:10 -05:00

33 lines
1.3 KiB
Diff

From 0ffca4f7bca3a8157d8dbaddbcea292c267fb5aa Mon Sep 17 00:00:00 2001
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
Date: Tue, 27 Oct 2015 15:40:18 +0530
Subject: wlan: Address buffer overflow due to invalid length
Check for valid length before copying the packet filter data from
userspace buffer to kernel space buffer to avoid buffer overflow
issue.
Change-Id: I9548727543b903b5eaafa25c6184615d511ca99d
CRs-Fixed: 930533
---
CORE/HDD/src/wlan_hdd_wext.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index c38563d..79dde24 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -8401,6 +8401,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
+ if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+ (pRequest->paramsData[i].dataLength))
+ return -EINVAL;
memcpy(&packetFilterSetReq.paramsData[i].compareData,
pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
--
cgit v1.1