summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>2022-12-15 21:02:11 +0900
committerchenpaul <chenpaul@google.com>2022-12-29 09:17:18 +0800
commit15500502b794953e025f7543b3bb1b0ed5aecf87 (patch)
tree3768bfb78d7d003564550cfdfe8667ca307197d9
parentdd6084ba8f5ce59234d107182e75267c53c91a30 (diff)
downloadwlan-15500502b794953e025f7543b3bb1b0ed5aecf87.tar.gz
Fix OOB write possible when len equals sizeof array
service_specific_info_len sets as serviceSpecificInfo.size() In case of the len equals sizeof(service_specific_info), OOB write possible. Bug: 261857623 Test: tested with poc program Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com> Change-Id: Ifdaaf475555fd4c9836758d2e804fcee4f822a89
Diffstat
-rwxr-xr-xbcmdhd/wifi_hal/nan.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp
index 2f0008e..2dadaf8 100755
--- a/bcmdhd/wifi_hal/nan.cpp
+++ b/bcmdhd/wifi_hal/nan.cpp
@@ -1386,6 +1386,8 @@ class NanDiscEnginePrimitive : public WifiCommand
}
if (mParams->service_specific_info_len > 0) {
+ u16 len = min(mParams->service_specific_info_len,
+ sizeof(mParams->service_specific_info) - 1);
result = request.put_u16(NAN_ATTRIBUTE_SERVICE_SPECIFIC_INFO_LEN,
mParams->service_specific_info_len);
if (result < 0) {
@@ -1400,7 +1402,7 @@ class NanDiscEnginePrimitive : public WifiCommand
ALOGE("%s: Failed to put svc info, result = %d", __func__, result);
return result;
}
- mParams->service_specific_info[mParams->service_specific_info_len] = '\0';
+ mParams->service_specific_info[len] = '\0';
ALOGI("Transmit service info string is %s\n", mParams->service_specific_info);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 16:04:07 +0000