net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl

handled heap overwrite with checks

Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
Bug: 31822524
Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>

1 files changed, 15 insertions, 13 deletions

diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
index e1948a2c9255..fe3e9881464b 100644
--- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
+++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c
@@ -2478,22 +2478,24 @@ static int
 dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action)
 {
 	dhd_prot_t *prot = dhd->prot;
-
 	int ret = 0;
 
-	DHD_TRACE(("%s: Enter\n", __FUNCTION__));
-
-	/* Respond "bcmerror" and "bcmerrorstr" with local cache */
-	if (cmd == WLC_GET_VAR && buf)
-	{
-		if (!strcmp((char *)buf, "bcmerrorstr"))
-		{
-			strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN);
+	DHD_TRACE(("%s: Enter\n", __func__));
+	if (!buf || !len) {
+		DHD_ERROR(("%s(): Zero length bailing\n", __func__));
+		ret = BCME_BADARG;
+		goto done;
+	}
+	if (cmd == WLC_GET_VAR) {
+		/* Respond "bcmerror" and "bcmerrorstr" with local cache */
+		if ((len > strlen("bcmerrorstr")) &&
+		    !strcmp(buf, "bcmerrorstr")) {
+			strlcpy(buf, bcmerrorstr(dhd->dongle_error), len);
 			goto done;
-		}
-		else if (!strcmp((char *)buf, "bcmerror"))
-		{
-			*(int *)buf = dhd->dongle_error;
+		} else if ((len > strlen("bcmerror")) &&
+			   !strcmp(buf, "bcmerror")) {
+			memcpy(buf, &dhd->dongle_error,
+			       sizeof(dhd->dongle_error));
 			goto done;
 		}
 	}