qcacld-3.0: Check buff len alloc in __iw_set_packet_filter_params
In __iw_set_packet_filter_params(), a user controlled length value, priv_data.length, is used to allocated a buffer. This buffer is then cast to a struct pointer of struct pkt_filter_cfg type without ensuring the buffer is large enough to hold the struct. This can lead to a buffer overread if the user supplied size is smaller than the actual size of the struct. Add a sanity check on priv_data.length to ensure that the size is large enough to hold the struct. Change-Id: I227856484d4bd7a9b0a16a42e26febbc799f80b5 CRs-Fixed: 2228725
This commit is contained in:
Sourav Mohapatra
committad av
nshrivas
nshrivas
förälder
351a989b06
incheckning
debfc5a964
@@ -8245,7 +8245,8 @@ static int __iw_set_packet_filter_params(struct net_device *dev,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if ((NULL == priv_data.pointer) || (0 == priv_data.length)) {
|
||||
if ((NULL == priv_data.pointer) || (0 == priv_data.length) ||
|
||||
priv_data.length < sizeof(struct pkt_filter_cfg)) {
|
||||
hdd_err("invalid priv data %pK or invalid priv data length %d",
|
||||
priv_data.pointer, priv_data.length);
|
||||
return -EINVAL;
|
||||
|
||||
Referens i nytt ärende
Block a user