From 03e2b595446db591673c11ea1c009399a04c2d58 Mon Sep 17 00:00:00 2001 From: Jingxiang Ge Date: Wed, 23 Jan 2019 17:15:53 +0800 Subject: [PATCH] qcacld-3.0: Fix buffer overwrite problem in GETIBSSPEERINFO If (length + 1) is greater than priv_data.total_len then copy_to_user results in writing more data than the buffer can hold. Fix this by writing mininum of (length + 1) and priv_data->total_len. Change-Id: If0c74b3c6c76ee3ca296fd8e0e844b9c53c30498 CRs-Fixed: 2386056 --- core/hdd/src/wlan_hdd_ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c index 30d0cb2ebf..a881192833 100644 --- a/core/hdd/src/wlan_hdd_ioctl.c +++ b/core/hdd/src/wlan_hdd_ioctl.c @@ -5292,9 +5292,10 @@ static int drv_cmd_get_ibss_peer_info(struct hdd_adapter *adapter, (int)txRate, (int)sta_ctx->ibss_peer_info. peerInfoParams[0].rssi); + length = QDF_MIN(priv_data->total_len, length + 1); /* Copy the data back into buffer */ - if (copy_to_user(priv_data->buf, &extra, length + 1)) { + if (copy_to_user(priv_data->buf, &extra, length)) { hdd_err("copy data to user buffer failed GETIBSSPEERINFO command"); ret = -EFAULT; goto exit;