diff options
author | Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com> | 2022-12-12 16:04:57 +0900 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2022-12-20 03:26:36 +0000 |
commit | aa4626311e2926e28ab4c7ce0599be7c5df769ab (patch) | |
tree | 8caa494bc6d3dc4d7bab1833a55a33a4b80df018 | |
parent | 56beb29852101f342c12f355bf89639a107336cc (diff) | |
download | bcm4389-aa4626311e2926e28ab4c7ce0599be7c5df769ab.tar.gz |
bcmdhd: Fixed Memory Overwrite in function add_roam_cache_listandroid-t-qpr2-beta-3_r0.5android-t-qpr2-beta-3_r0.4android-t-qpr2-beta-3_r0.3android-t-qpr2-beta-3.2_r0.6android-t-qpr2-beta-3.2_r0.5android-13.0.0_r0.91android-13.0.0_r0.77android-13.0.0_r0.75android-13.0.0_r0.74android-13.0.0_r0.73android-13.0.0_r0.70android-13.0.0_r0.69android-13.0.0_r0.68android-13.0.0_r0.64android-gs-tangorpro-5.10-android13-d2android-gs-raviole-5.10-android13-qpr2-betaandroid-gs-raviole-5.10-android13-qpr2android-gs-pantah-5.10-t-qpr2-beta-3.2android-gs-pantah-5.10-android13-qpr2-betaandroid-gs-pantah-5.10-android13-qpr2android-gs-lynx-5.10-android13-qpr2-bandroid-gs-bluejay-5.10-t-qpr2-beta-3android-gs-bluejay-5.10-android13-qpr2-betaandroid-gs-bluejay-5.10-android13-qpr2
In add_roam_cache_list of wl_roam.c, there is a possible out of bounds write due to a missing bounds check.
Fix:
1. Added bounds check
2. If SSID_len is bigger than 32, do not update that list in the roam cache list.
Bug: 254028776
Test: BRCM Internal test is finished without regression.
Change-Id: Ifaf4a5c963e89dde3fed39888c4fa83d093f5e25
Signed-off-by: Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com>
-rw-r--r-- | wl_roam.c | 17 |
1 files changed, 14 insertions, 3 deletions
@@ -178,7 +178,7 @@ void reset_roam_cache(struct bcm_cfg80211 *cfg) static void add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) { - int i; + int i, ret = 0; uint8 channel; char chanbuf[CHANSPEC_STR_LEN]; @@ -186,6 +186,11 @@ add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) return; } + if (SSID_len > DOT11_MAX_SSID_LEN) { + WL_ERR(("SSID len %u out of bounds [0-32]\n", SSID_len)); + return; + } + for (i = 0; i < n_roam_cache; i++) { if ((roam_cache[i].ssid_len == SSID_len) && (roam_cache[i].chanspec == chanspec) && @@ -197,10 +202,16 @@ add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) roam_cache[n_roam_cache].ssid_len = SSID_len; channel = wf_chspec_ctlchan(chanspec); - WL_DBG(("CHSPEC = %s, CTL %d SSID %s\n", + WL_DBG(("CHSPEC = %s, CTL %d SSID %.32s\n", wf_chspec_ntoa_ex(chanspec, chanbuf), channel, SSID)); roam_cache[n_roam_cache].chanspec = CHSPEC_BAND(chanspec) | band_bw | channel; - (void)memcpy_s(roam_cache[n_roam_cache].ssid, SSID_len, SSID, SSID_len); + ret = memcpy_s(roam_cache[n_roam_cache].ssid, + sizeof(roam_cache[n_roam_cache].ssid), SSID, SSID_len); + if (ret) { + WL_ERR(("memcpy failed:%d, destsz:%lu, n:%d\n", + ret, sizeof(roam_cache[n_roam_cache].ssid), SSID_len)); + return; + } n_roam_cache++; } |