Fixed OOB read/write possible when len equals sizeof array am: a8bfe75958 am: ef56977e08

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/20800788 Change-Id: I0d0b869f741c747d86cf903febc4c39a857596ff Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com> 2022-12-29 07:53:49 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-12-29 07:53:49 +0000
commit: e2bb2f5b85620f7db9f7730dfb6927bda5320f8e (patch)
tree: 12e7a1f1bfb760ab0d1cde38a51b6aab9227ac16
parent: 39a786de6e1c446507160abce22b04f8012e6f08 (diff)
parent: ef56977e0830a47472154d95fff06dd25fba09db (diff)
download: wlan-e2bb2f5b85620f7db9f7730dfb6927bda5320f8e.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp
index b25a41e..a2d2d47 100755
--- a/bcmdhd/wifi_hal/nan.cpp
+++ b/bcmdhd/wifi_hal/nan.cpp
@@ -702,6 +702,8 @@ class NanDiscEnginePrimitive : public WifiCommand
 
         if (mParams->service_name_len) {
             u8 svc_hash[NAN_SVC_HASH_SIZE];
+            u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1);
+            mParams->service_name[len] = '\0';
 
             result = get_svc_hash(mParams->service_name, mParams->service_name_len,
                     svc_hash, NAN_SVC_HASH_SIZE);
@@ -1066,6 +1068,8 @@ class NanDiscEnginePrimitive : public WifiCommand
 
         if (mParams->service_name_len) {
             u8 svc_hash[NAN_SVC_HASH_SIZE];
+            u16 len = min(mParams->service_name_len, sizeof(mParams->service_name) - 1);
+            mParams->service_name[len] = '\0';
 
             result = get_svc_hash(mParams->service_name, mParams->service_name_len,
                     svc_hash, NAN_SVC_HASH_SIZE);
@@ -5429,6 +5433,9 @@ wifi_error nan_data_request_initiator(transaction_id id,
 #endif /* CONFIG_BRCM */
     counters.dp_req++;
     if (msg->service_name_len) {
+        u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1);
+        msg->service_name[len] = '\0';
+
         if (strncmp(NAN_OOB_INTEROP_SVC_NAME,
                     (char*)msg->service_name, msg->service_name_len) == 0) {
             ALOGI("Use Hardcoded svc_hash\n");
@@ -5514,6 +5521,9 @@ wifi_error nan_data_indication_response(transaction_id id,
 #endif /* CONFIG_BRCM */
     counters.dp_resp++;
     if (msg->service_name_len) {
+        u16 len = min(msg->service_name_len, sizeof(msg->service_name) - 1);
+        msg->service_name[len] = '\0';
+
         if (strncmp(NAN_OOB_INTEROP_SVC_NAME,
                     (char*)msg->service_name, msg->service_name_len) == 0) {
             ALOGI("Use Hardcoded svc_hash\n");
author	Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>	2022-12-29 07:53:49 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-12-29 07:53:49 +0000
commit	e2bb2f5b85620f7db9f7730dfb6927bda5320f8e (patch)
tree	12e7a1f1bfb760ab0d1cde38a51b6aab9227ac16
parent	39a786de6e1c446507160abce22b04f8012e6f08 (diff)
parent	ef56977e0830a47472154d95fff06dd25fba09db (diff)
download	wlan-e2bb2f5b85620f7db9f7730dfb6927bda5320f8e.tar.gz