diff options
author | Ram Sripathi <ram.sripathi@broadcom.com> | 2016-11-04 15:44:14 -0700 |
---|---|---|
committer | Pat Tjin <pattjin@google.com> | 2016-11-17 19:18:46 +0000 |
commit | 9903a7d3d5723c8742938e47b7f7cc27811fbed5 (patch) | |
tree | d0b90931b5e871069ddfde8bc9a2be3c8c6faf93 | |
parent | f717fa7d9b7af6cb38c562f72e0223ab997de9df (diff) | |
download | x86_64-9903a7d3d5723c8742938e47b7f7cc27811fbed5.tar.gz |
net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl
handled heap overwrite with checks
Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31
Bug: 31822524
Signed-off-by: Ram Sripathi <ram.sripathi@broadcom.com>
-rw-r--r-- | drivers/net/wireless/bcmdhd/dhd_msgbuf.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c index e1948a2c9255..fe3e9881464b 100644 --- a/drivers/net/wireless/bcmdhd/dhd_msgbuf.c +++ b/drivers/net/wireless/bcmdhd/dhd_msgbuf.c @@ -2478,22 +2478,24 @@ static int dhdmsgbuf_query_ioctl(dhd_pub_t *dhd, int ifidx, uint cmd, void *buf, uint len, uint8 action) { dhd_prot_t *prot = dhd->prot; - int ret = 0; - DHD_TRACE(("%s: Enter\n", __FUNCTION__)); - - /* Respond "bcmerror" and "bcmerrorstr" with local cache */ - if (cmd == WLC_GET_VAR && buf) - { - if (!strcmp((char *)buf, "bcmerrorstr")) - { - strncpy((char *)buf, bcmerrorstr(dhd->dongle_error), BCME_STRLEN); + DHD_TRACE(("%s: Enter\n", __func__)); + if (!buf || !len) { + DHD_ERROR(("%s(): Zero length bailing\n", __func__)); + ret = BCME_BADARG; + goto done; + } + if (cmd == WLC_GET_VAR) { + /* Respond "bcmerror" and "bcmerrorstr" with local cache */ + if ((len > strlen("bcmerrorstr")) && + !strcmp(buf, "bcmerrorstr")) { + strlcpy(buf, bcmerrorstr(dhd->dongle_error), len); goto done; - } - else if (!strcmp((char *)buf, "bcmerror")) - { - *(int *)buf = dhd->dongle_error; + } else if ((len > strlen("bcmerror")) && + !strcmp(buf, "bcmerror")) { + memcpy(buf, &dhd->dongle_error, + sizeof(dhd->dongle_error)); goto done; } } |