bcmdhd: Fixed Memory Overwrite in function dhd_prot_ioctcmplt_process

In dhd_prot_ioctcmplt_process of dhd_msgbuf.c, there is a possible out of bounds write due to improper input validation

Fix:
1. Added bounds check
2. Limited the copy length to dest length.

Bug: 254028518
Test: BRCM Internal test is finished without regression.

Change-Id: I7d000282c6732ff0963751284ac6331c7cc48d8b
Signed-off-by: Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com>

1 files changed, 10 insertions, 2 deletions

diff --git a/dhd_msgbuf.c b/dhd_msgbuf.c
index 0900fb7..4bc1d1a 100644
--- a/dhd_msgbuf.c
+++ b/dhd_msgbuf.c
@@ -7750,6 +7750,7 @@ dhd_prot_ioctcmplt_process(dhd_pub_t *dhd, void *msg)
 #ifdef REPORT_FATAL_TIMEOUTS
 	uint16	dhd_xt_id;
 #endif
+	int ret = 0;
 
 	/* Check for ioctl timeout induce flag, which is set by firing
 	 * dhd iovar to induce IOCTL timeout. If flag is set,
@@ -7845,11 +7846,18 @@ dhd_prot_ioctcmplt_process(dhd_pub_t *dhd, void *msg)
 		pkt_id, xt_id, prot->ioctl_status, prot->ioctl_resplen));
 
 	if (prot->ioctl_resplen > 0) {
+		uint16 copy_len = MIN(prot->ioctl_resplen, prot->retbuf.len);
 #ifndef IOCTLRESP_USE_CONSTMEM
-		bcopy(PKTDATA(dhd->osh, pkt), prot->retbuf.va, prot->ioctl_resplen);
+		ret = memcpy_s(prot->retbuf.va, prot->retbuf.len, PKTDATA(dhd->osh, pkt), copy_len);
 #else
-		bcopy(pkt, prot->retbuf.va, prot->ioctl_resplen);
+		ret = memcpy_s(prot->retbuf.va, prot->retbuf.len, pkt, copy_len);
 #endif /* !IOCTLRESP_USE_CONSTMEM */
+		if (ret) {
+			DHD_ERROR(("memcpy failed:%d, destsz:%d, n:%u\n",
+				ret, prot->retbuf.len, copy_len));
+			dhd_wakeup_ioctl_event(dhd, IOCTL_RETURN_ON_ERROR);
+			goto exit;
+		}
 	}
 
 	/* wake up any dhd_os_ioctl_resp_wait() */