summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>2022-12-29 07:20:26 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2022-12-29 07:20:26 +0000
commit17a101dc4db673a6ae2963670c449395343d9d41 (patch)
tree6fc080ec86699d17ee4fecbcc5795db654332a01
parent5b99260608bdda7e9f598ad50580e4cca58cdfc6 (diff)
parent15500502b794953e025f7543b3bb1b0ed5aecf87 (diff)
downloadwlan-17a101dc4db673a6ae2963670c449395343d9d41.tar.gz
Fix OOB write possible when len equals sizeof array am: 15500502b7
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/20770980 Change-Id: I6b5019300ef3be58c9108858572a53f01a23148e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat
-rwxr-xr-xbcmdhd/wifi_hal/nan.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp
index bfc33e0..b25a41e 100755
--- a/bcmdhd/wifi_hal/nan.cpp
+++ b/bcmdhd/wifi_hal/nan.cpp
@@ -1386,6 +1386,8 @@ class NanDiscEnginePrimitive : public WifiCommand
}
if (mParams->service_specific_info_len > 0) {
+ u16 len = min(mParams->service_specific_info_len,
+ sizeof(mParams->service_specific_info) - 1);
result = request.put_u16(NAN_ATTRIBUTE_SERVICE_SPECIFIC_INFO_LEN,
mParams->service_specific_info_len);
if (result < 0) {
@@ -1400,7 +1402,7 @@ class NanDiscEnginePrimitive : public WifiCommand
ALOGE("%s: Failed to put svc info, result = %d", __func__, result);
return result;
}
- mParams->service_specific_info[mParams->service_specific_info_len] = '\0';
+ mParams->service_specific_info[len] = '\0';
ALOGI("Transmit service info string is %s\n", mParams->service_specific_info);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 17:41:08 +0000