qcacld-3.0: Validate user input for null termination

In hdd_dns_make_name_query() the parameter string is a user controlled
input. The driver assumes that the input is null terminated string and
accordingly the exit condition of the loop is specified. In case the
user sends input with no null termination then it can lead to possible
OOB scenario.

Add a null termination validation on the string so that any erroneous
input is filtered.

Change-Id: I2abb4875569c508179c4488347f7c9aae0666332
CRs-Fixed: 2342812
Bug: 125746836
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

1 files changed, 13 insertions, 3 deletions

diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index bb25c1a646..68cd1af68a 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -10818,11 +10818,17 @@ static inline uint8_t *hdd_dns_unmake_name_query(uint8_t *name)
  *
  * Return: Byte following constructed DNS name
  */
-static uint8_t *hdd_dns_make_name_query(const uint8_t *string, uint8_t *buf)
+static uint8_t *hdd_dns_make_name_query(const uint8_t *string,
+					uint8_t *buf, uint8_t len)
 {
 	uint8_t *length_byte = buf++;
 	uint8_t c;
 
+	if (string[len - 1]) {
+		hdd_debug("DNS name is not null terminated");
+		return NULL;
+	}
+
 	while ((c = *(string++))) {
 		if (c == '.') {
 			*length_byte = buf - length_byte - 1;
@@ -10911,8 +10917,12 @@ static int hdd_set_clear_connectivity_check_stats_info(
 					adapter->track_dns_domain_len =
 						nla_len(tb2[
 							STATS_DNS_DOMAIN_NAME]);
-					hdd_dns_make_name_query(domain_name,
-							adapter->dns_payload);
+					if (!hdd_dns_make_name_query(
+						domain_name,
+						adapter->dns_payload,
+						adapter->track_dns_domain_len))
+						adapter->track_dns_domain_len =
+							0;
 					/* DNStracking isn't supported in FW. */
 					arp_stats_params->pkt_type_bitmap &=
 						~CONNECTIVITY_CHECK_SET_DNS;