diff options
| author | Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com> | 2022-12-20 19:55:19 +0900 |
|---|---|---|
| committer | chenpaul <chenpaul@google.com> | 2022-12-29 09:17:37 +0800 |
| commit | a8bfe75958bca32db6f3dbe534a66cfd168c4f8a (patch) | |
| tree | 99a47e1c9540912ae5e54eb3e47216244176ce55 | |
| parent | 15500502b794953e025f7543b3bb1b0ed5aecf87 (diff) | |
| download | wlan-a8bfe75958bca32db6f3dbe534a66cfd168c4f8a.tar.gz | |
Fixed OOB read/write possible when len equals sizeof arrayandroid-13.0.0_r82android-13.0.0_r81android-13.0.0_r80android-13.0.0_r74android-13.0.0_r73android-13.0.0_r72android-13.0.0_r66android-13.0.0_r65android-13.0.0_r64android-13.0.0_r60android-13.0.0_r59android-13.0.0_r58android13-qpr3-c-s8-releaseandroid13-qpr3-c-s7-releaseandroid13-qpr3-c-s6-releaseandroid13-qpr3-c-s5-releaseandroid13-qpr3-c-s4-releaseandroid13-qpr3-c-s3-releaseandroid13-qpr3-c-s2-releaseandroid13-qpr3-c-s12-releaseandroid13-qpr3-c-s11-releaseandroid13-qpr3-c-s10-releaseandroid13-qpr3-c-s1-release
OOB read/write possible in get_svc_hash() since it convert character until the string meets null terminated
Added null terminated character before calling it.
Bug: 261857862
Test: Checked with lldb
Change-Id: Id998c69ca1dccbd3108c2e78f065521cdac45135
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
| -rwxr-xr-x | bcmdhd/wifi_hal/nan.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp index 2dadaf8..7ac1be8 100755 --- a/bcmdhd/wifi_hal/nan.cpp +++ b/bcmdhd/wifi_hal/nan.cpp @@ -702,6 +702,8 @@ class NanDiscEnginePrimitive : public WifiCommand if (mParams->service_name_len) { u8 svc_hash[NAN_SVC_HASH_SIZE]; + u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1); + mParams->service_name[len] = '\0'; result = get_svc_hash(mParams->service_name, mParams->service_name_len, svc_hash, NAN_SVC_HASH_SIZE); @@ -1066,6 +1068,8 @@ class NanDiscEnginePrimitive : public WifiCommand if (mParams->service_name_len) { u8 svc_hash[NAN_SVC_HASH_SIZE]; + u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1); + mParams->service_name[len] = '\0'; result = get_svc_hash(mParams->service_name, mParams->service_name_len, svc_hash, NAN_SVC_HASH_SIZE); @@ -5429,6 +5433,9 @@ wifi_error nan_data_request_initiator(transaction_id id, #endif /* CONFIG_BRCM */ counters.dp_req++; if (msg->service_name_len) { + u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1); + msg->service_name[len] = '\0'; + if (strncmp(NAN_OOB_INTEROP_SVC_NAME, (char*)msg->service_name, msg->service_name_len) == 0) { ALOGI("Use Hardcoded svc_hash\n"); @@ -5514,6 +5521,9 @@ wifi_error nan_data_indication_response(transaction_id id, #endif /* CONFIG_BRCM */ counters.dp_resp++; if (msg->service_name_len) { + u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1); + msg->service_name[len] = '\0'; + if (strncmp(NAN_OOB_INTEROP_SVC_NAME, (char*)msg->service_name, msg->service_name_len) == 0) { ALOGI("Use Hardcoded svc_hash\n"); |