DivestOS/Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch
2017-11-07 17:32:46 -05:00

60 lines
1.8 KiB
Diff

From 4af032a458109027c88c478c800aac97a7105250 Mon Sep 17 00:00:00 2001
From: Ram Sripathi <ram.sripathi@broadcom.com>
Date: Fri, 4 Nov 2016 15:44:14 -0700
Subject: net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl
handled heap overwrite with checks
Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
Bug: 31822524
Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
---
drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
index 8d7d4bf..e6e2848 100644
--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
@@ -2493,22 +2493,24 @@ static int
dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
{
dhd_prot_t *prot = dhd->prot;
-
int ret = 0;
- DHD_TRACE(("%s: Enter\n", __FUNCTION__));
-
- /* Respond "bcmerror" and "bcmerrorstr" with local cache */
- if (cmd == WLC_GET_VAR && buf)
- {
- if (!strcmp((char *)buf, "bcmerrorstr"))
- {
- strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
+ DHD_TRACE(("%s: Enter\n", __func__));
+ if (!buf || !len) {
+ DHD_ERROR(("%s(): Zero length bailing\n", __func__));
+ ret = BCME_BADARG;
+ goto done;
+ }
+ if (cmd == WLC_GET_VAR) {
+ /* Respond "bcmerror" and "bcmerrorstr" with local cache */
+ if ((len > strlen("bcmerrorstr")) &&
+ !strcmp(buf, "bcmerrorstr")) {
+ strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
goto done;
- }
- else if (!strcmp((char *)buf, "bcmerror"))
- {
- *(int *)buf = dhd->dongle_error;
+ } else if ((len > strlen("bcmerror")) &&
+ !strcmp(buf, "bcmerror")) {
+ memcpy(buf, &dhd->dongle_error,
+ sizeof(dhd->dongle_error));
goto done;
}
}
--
cgit v1.1