From f6d5a65c4782578f22aa6fbb9fb16579999e9f12 Mon Sep 17 00:00:00 2001
From: Jianmin Zhu <jianminz@codeaurora.org>
Date: Thu, 11 Oct 2018 20:30:58 +0800
Subject: [PATCH] qcacmn: Fix OOB in extract_reg_11d_new_country_event_tlv

In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.

Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
---
 wmi_unified_tlv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c
index 91216b2687..54c10f45f5 100644
--- a/wmi_unified_tlv.c
+++ b/wmi_unified_tlv.c
@@ -17854,6 +17854,7 @@ static QDF_STATUS extract_reg_11d_new_country_event_tlv(
 
 	qdf_mem_copy(reg_11d_country->alpha2,
 			&reg_11d_country_event->new_alpha2, REG_ALPHA2_LEN);
+	reg_11d_country->alpha2[REG_ALPHA2_LEN] = '\0';
 
 	WMI_LOGD("processed 11d country event, new cc %s",
 			reg_11d_country->alpha2);