diff options
author | Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com> | 2022-12-12 16:03:02 +0900 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2022-12-20 03:26:30 +0000 |
commit | 56beb29852101f342c12f355bf89639a107336cc (patch) | |
tree | 78460d634cc85d4485b27cbe808920e276629b18 | |
parent | 31b7bb4d289272bdcde29b8e37cc2a5c2d5e2760 (diff) | |
download | bcm4389-56beb29852101f342c12f355bf89639a107336cc.tar.gz |
bcmdhd: Fixed Memory Overwrite in function dhd_prot_ioctcmplt_process
In dhd_prot_ioctcmplt_process of dhd_msgbuf.c, there is a possible out of bounds write due to improper input validation
Fix:
1. Added bounds check
2. Limited the copy length to dest length.
Bug: 254028518
Test: BRCM Internal test is finished without regression.
Change-Id: I7d000282c6732ff0963751284ac6331c7cc48d8b
Signed-off-by: Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com>
-rw-r--r-- | dhd_msgbuf.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c index 0900fb7..4bc1d1a 100644 --- a/dhd_msgbuf.c +++ b/dhd_msgbuf.c @@ -7750,6 +7750,7 @@ dhd_prot_ioctcmplt_process(dhd_pub_t *dhd, void *msg) #ifdef REPORT_FATAL_TIMEOUTS uint16 dhd_xt_id; #endif + int ret = 0; /* Check for ioctl timeout induce flag, which is set by firing * dhd iovar to induce IOCTL timeout. If flag is set, @@ -7845,11 +7846,18 @@ dhd_prot_ioctcmplt_process(dhd_pub_t *dhd, void *msg) pkt_id, xt_id, prot->ioctl_status, prot->ioctl_resplen)); if (prot->ioctl_resplen > 0) { + uint16 copy_len = MIN(prot->ioctl_resplen, prot->retbuf.len); #ifndef IOCTLRESP_USE_CONSTMEM - bcopy(PKTDATA(dhd->osh, pkt), prot->retbuf.va, prot->ioctl_resplen); + ret = memcpy_s(prot->retbuf.va, prot->retbuf.len, PKTDATA(dhd->osh, pkt), copy_len); #else - bcopy(pkt, prot->retbuf.va, prot->ioctl_resplen); + ret = memcpy_s(prot->retbuf.va, prot->retbuf.len, pkt, copy_len); #endif /* !IOCTLRESP_USE_CONSTMEM */ + if (ret) { + DHD_ERROR(("memcpy failed:%d, destsz:%d, n:%u\n", + ret, prot->retbuf.len, copy_len)); + dhd_wakeup_ioctl_event(dhd, IOCTL_RETURN_ON_ERROR); + goto exit; + } } /* wake up any dhd_os_ioctl_resp_wait() */ |