diff options
author | Stephen Chu <stephen.chu@broadcom.corp-partner.google.com> | 2020-07-09 16:36:31 +0800 |
---|---|---|
committer | Ahmed ElArabawy <arabawy@google.com> | 2020-07-09 20:07:41 -0700 |
commit | d23fabd236cd1bf471e8773dbcbd13109797f296 (patch) | |
tree | a39395222386998fb2a27ce5d6f909b7a3dfb50d | |
parent | 2cf6d2463e1cc817711efbf13b9f59fe2d6b92d5 (diff) | |
download | bcm43752-d23fabd236cd1bf471e8773dbcbd13109797f296.tar.gz |
bcmdhd: Fix out of bound access of sdtc iovar
Malloc buf for sdtc request instead of using bcm_iov_buf
Bug: 160739430
Test: Local build, load and connect ok
Signed-off-by: Stephen Chu <stephen.chu@broadcom.corp-partner.google.com>
Change-Id: Ife5ff2bd1f43b8292b3b97d44da9ca4fbed6f763
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
-rw-r--r-- | dhd_common.c | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/dhd_common.c b/dhd_common.c index 9b4faf1..d28e992 100644 --- a/dhd_common.c +++ b/dhd_common.c @@ -944,10 +944,10 @@ dhd_sssr_print_filepath(dhd_pub_t *dhd, char *path) void dhd_sdtc_etb_init(dhd_pub_t *dhd) { - bcm_iov_buf_t iov_req; + bcm_iov_buf_t *iov_req = NULL; etb_addr_info_t *p_etb_addr_info = NULL; - bcm_iov_buf_t *iov_resp; - uint8 *buf; + bcm_iov_buf_t *iov_resp = NULL; + uint8 *buf = NULL; int ret = 0; uint16 iovlen = 0; uint16 version = 0; @@ -955,20 +955,24 @@ dhd_sdtc_etb_init(dhd_pub_t *dhd) BCM_REFERENCE(p_etb_addr_info); dhd->sdtc_etb_inited = FALSE; + iov_req = MALLOCZ(dhd->osh, WLC_IOCTL_SMLEN); + if (iov_req == NULL) { + DHD_ERROR(("%s: Failed to alloc buffer for iovar request\n", __FUNCTION__)); + goto exit; + } buf = MALLOCZ(dhd->osh, WLC_IOCTL_MAXLEN); if (buf == NULL) { DHD_ERROR(("%s: Failed to alloc buffer for iovar response\n", __FUNCTION__)); - return; + goto exit; } /* fill header */ - bzero(&iov_req, sizeof(iov_req)); - iov_req.version = WL_SDTC_IOV_VERSION; - iov_req.id = WL_SDTC_CMD_ETB_INFO; - iov_req.len = sizeof(etb_addr_info_t); - iovlen = OFFSETOF(bcm_iov_buf_t, data) + iov_req.len; + iov_req->version = WL_SDTC_IOV_VERSION; + iov_req->id = WL_SDTC_CMD_ETB_INFO; + iov_req->len = sizeof(etb_addr_info_t); + iovlen = OFFSETOF(bcm_iov_buf_t, data) + iov_req->len; - ret = dhd_iovar(dhd, 0, "sdtc", (char *)&iov_req, iovlen, + ret = dhd_iovar(dhd, 0, "sdtc", (char *)iov_req, iovlen, (char *)buf, WLC_IOCTL_MAXLEN, FALSE); if (ret < 0) { DHD_ERROR(("%s failed to get sdtc etb_info %d\n", __FUNCTION__, ret)); @@ -982,7 +986,7 @@ dhd_sdtc_etb_init(dhd_pub_t *dhd) goto exit; } iov_resp = (bcm_iov_buf_t *)buf; - if (iov_resp->id == iov_req.id) { + if (iov_resp->id == iov_req->id) { p_etb_addr_info = (etb_addr_info_t*)iov_resp->data; dhd->etb_addr_info.version = p_etb_addr_info->version; dhd->etb_addr_info.len = p_etb_addr_info->len; @@ -993,7 +997,7 @@ dhd_sdtc_etb_init(dhd_pub_t *dhd) dhd->etb_addr_info.etbinfo_addr)); } else { DHD_ERROR(("%s Unknown CMD-ID (%d) as response for request ID %d\n", - __FUNCTION__, iov_resp->id, iov_req.id)); + __FUNCTION__, iov_resp->id, iov_req->id)); goto exit; } @@ -1008,7 +1012,12 @@ dhd_sdtc_etb_init(dhd_pub_t *dhd) dhd->sdtc_etb_inited = TRUE; DHD_ERROR(("%s sdtc_etb_inited: %d\n", __FUNCTION__, dhd->sdtc_etb_inited)); exit: - MFREE(dhd->osh, buf, WLC_IOCTL_MAXLEN); + if (iov_req) { + MFREE(dhd->osh, iov_req, WLC_IOCTL_SMLEN); + } + if (buf) { + MFREE(dhd->osh, buf, WLC_IOCTL_MAXLEN); + } return; } |