diff options
author | Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com> | 2022-12-12 16:04:57 +0900 |
---|---|---|
committer | Paul Chen <chenpaul@google.com> | 2022-12-20 03:24:53 +0000 |
commit | 836ae82407c9a72519c90ddad9998ed82a38ae53 (patch) | |
tree | 286cdc06d35087d39c692490837358d29140f4a4 | |
parent | 758722db62609e423528708492fcea4ee82fbc77 (diff) | |
download | bcm4389-836ae82407c9a72519c90ddad9998ed82a38ae53.tar.gz |
bcmdhd: Fixed Memory Overwrite in function add_roam_cache_list
In add_roam_cache_list of wl_roam.c, there is a possible out of bounds write due to a missing bounds check.
Fix:
1. Added bounds check
2. If SSID_len is bigger than 32, do not update that list in the roam cache list.
Bug: 254028776
Test: BRCM Internal test is finished without regression.
Change-Id: Ifaf4a5c963e89dde3fed39888c4fa83d093f5e25
Signed-off-by: Sungjoon Park <sungjoon.park@broadcom.corp-partner.google.com>
-rw-r--r-- | wl_roam.c | 17 |
1 files changed, 14 insertions, 3 deletions
@@ -178,7 +178,7 @@ void reset_roam_cache(struct bcm_cfg80211 *cfg) static void add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) { - int i; + int i, ret = 0; uint8 channel; char chanbuf[CHANSPEC_STR_LEN]; @@ -186,6 +186,11 @@ add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) return; } + if (SSID_len > DOT11_MAX_SSID_LEN) { + WL_ERR(("SSID len %u out of bounds [0-32]\n", SSID_len)); + return; + } + for (i = 0; i < n_roam_cache; i++) { if ((roam_cache[i].ssid_len == SSID_len) && (roam_cache[i].chanspec == chanspec) && @@ -197,10 +202,16 @@ add_roam_cache_list(uint8 *SSID, uint32 SSID_len, chanspec_t chanspec) roam_cache[n_roam_cache].ssid_len = SSID_len; channel = wf_chspec_ctlchan(chanspec); - WL_DBG(("CHSPEC = %s, CTL %d SSID %s\n", + WL_DBG(("CHSPEC = %s, CTL %d SSID %.32s\n", wf_chspec_ntoa_ex(chanspec, chanbuf), channel, SSID)); roam_cache[n_roam_cache].chanspec = CHSPEC_BAND(chanspec) | band_bw | channel; - (void)memcpy_s(roam_cache[n_roam_cache].ssid, SSID_len, SSID, SSID_len); + ret = memcpy_s(roam_cache[n_roam_cache].ssid, + sizeof(roam_cache[n_roam_cache].ssid), SSID, SSID_len); + if (ret) { + WL_ERR(("memcpy failed:%d, destsz:%lu, n:%d\n", + ret, sizeof(roam_cache[n_roam_cache].ssid), SSID_len)); + return; + } n_roam_cache++; } |