qcacmn: Fix OOB in extract_reg_11d_new_country_event_tlv
In extract_reg_11d_new_country_event_tlv(), the reg_11d_country_event->new_alpha2 buffer from the original WMI message is copied into reg_11d_country->alpha2. Will only copy REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes. then reg_11d_country->alpha2 buffer is printed as a string. Because the original reg_11d_new_country structure in tgt_reg_11d_new_cc_handler() was allocated on the stack and not initialized, there is no guarantee that the buffer is NULL terminated. Due to this the WMI_LOGD() call will result in an OOB issue when printing the buffer. Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d CRs-Fixed: 2327718
此提交包含在:
Jianmin Zhu
@@ -17854,6 +17854,7 @@ static QDF_STATUS extract_reg_11d_new_country_event_tlv(
|
||||
|
||||
qdf_mem_copy(reg_11d_country->alpha2,
|
||||
®_11d_country_event->new_alpha2, REG_ALPHA2_LEN);
|
||||
reg_11d_country->alpha2[REG_ALPHA2_LEN] = '\0';
|
||||
|
||||
WMI_LOGD("processed 11d country event, new cc %s",
|
||||
reg_11d_country->alpha2);
|
||||
|
||||
新增問題並參考
封鎖使用者