diff options
author | Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com> | 2022-12-29 07:53:49 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-12-29 07:53:49 +0000 |
commit | e2bb2f5b85620f7db9f7730dfb6927bda5320f8e (patch) | |
tree | 12e7a1f1bfb760ab0d1cde38a51b6aab9227ac16 | |
parent | 39a786de6e1c446507160abce22b04f8012e6f08 (diff) | |
parent | ef56977e0830a47472154d95fff06dd25fba09db (diff) | |
download | wlan-e2bb2f5b85620f7db9f7730dfb6927bda5320f8e.tar.gz |
Fixed OOB read/write possible when len equals sizeof array am: a8bfe75958 am: ef56977e08
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/20800788
Change-Id: I0d0b869f741c747d86cf903febc4c39a857596ff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rwxr-xr-x | bcmdhd/wifi_hal/nan.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp index b25a41e..a2d2d47 100755 --- a/bcmdhd/wifi_hal/nan.cpp +++ b/bcmdhd/wifi_hal/nan.cpp @@ -702,6 +702,8 @@ class NanDiscEnginePrimitive : public WifiCommand if (mParams->service_name_len) { u8 svc_hash[NAN_SVC_HASH_SIZE]; + u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1); + mParams->service_name[len] = '\0'; result = get_svc_hash(mParams->service_name, mParams->service_name_len, svc_hash, NAN_SVC_HASH_SIZE); @@ -1066,6 +1068,8 @@ class NanDiscEnginePrimitive : public WifiCommand if (mParams->service_name_len) { u8 svc_hash[NAN_SVC_HASH_SIZE]; + u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1); + mParams->service_name[len] = '\0'; result = get_svc_hash(mParams->service_name, mParams->service_name_len, svc_hash, NAN_SVC_HASH_SIZE); @@ -5429,6 +5433,9 @@ wifi_error nan_data_request_initiator(transaction_id id, #endif /* CONFIG_BRCM */ counters.dp_req++; if (msg->service_name_len) { + u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1); + msg->service_name[len] = '\0'; + if (strncmp(NAN_OOB_INTEROP_SVC_NAME, (char*)msg->service_name, msg->service_name_len) == 0) { ALOGI("Use Hardcoded svc_hash\n"); @@ -5514,6 +5521,9 @@ wifi_error nan_data_indication_response(transaction_id id, #endif /* CONFIG_BRCM */ counters.dp_resp++; if (msg->service_name_len) { + u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1); + msg->service_name[len] = '\0'; + if (strncmp(NAN_OOB_INTEROP_SVC_NAME, (char*)msg->service_name, msg->service_name_len) == 0) { ALOGI("Use Hardcoded svc_hash\n"); |