samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix buffer overwrite problem in GETIBSSPEERINFO

Browse Source 
If (length + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (length + 1) and priv_data->total_len.

Change-Id: If0c74b3c6c76ee3ca296fd8e0e844b9c53c30498
CRs-Fixed: 2386056
This commit is contained in:
Jingxiang Ge
2019-01-23 17:15:53 +08:00
committed by nshrivas
parent b4260d5e38
commit 03e2b59544
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/hdd/src/wlan_hdd_ioctl.c
View File

@@ -5292,9 +5292,10 @@ static int drv_cmd_get_ibss_peer_info(struct hdd_adapter *adapter,
(int)txRate, (int)txRate,
(int)sta_ctx->ibss_peer_info. (int)sta_ctx->ibss_peer_info.
peerInfoParams[0].rssi); peerInfoParams[0].rssi);
length = QDF_MIN(priv_data->total_len, length + 1);
/* Copy the data back into buffer */ /* Copy the data back into buffer */
if (copy_to_user(priv_data->buf, &extra, length + 1)) { if (copy_to_user(priv_data->buf, &extra, length)) {
hdd_err("copy data to user buffer failed GETIBSSPEERINFO command"); hdd_err("copy data to user buffer failed GETIBSSPEERINFO command");
ret = -EFAULT; ret = -EFAULT;
goto exit; goto exit;