diff options
| author | Insun Song <insun.song@broadcom.com> | 2017-01-23 17:53:34 -0800 |
|---|---|---|
| committer | Mark Salyzyn <salyzyn@google.com> | 2017-08-30 12:41:25 -0700 |
| commit | fa7d4389a601791a27712c350a5f2c36a8e05561 (patch) | |
| tree | b1b93c3eaef016dfbe8664f6a7d0bcbaa88def41 | |
| parent | a58d6f82572479b8a0942590530a5c5582f6675d (diff) | |
| download | tegra-android-tegra-flounder-3.10-nougat-mr1-volantis.tar.gz | |
net: wireless: bcmdhd: fix buffer overrun in dhd_pno_process_anqpo_resultandroid-7.1.1_r0.79android-7.1.1_r0.75android-tegra-flounder-3.10-nougat-mr1.1android-tegra-flounder-3.10-nougat-mr1-volantis
added boundary check not to overflow buffer
especially when input parameters manipulated.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: I37f3b39f5d90b9d2a7c1f8311cf2e4aa59f71c52
Bug: 34198931
| -rw-r--r-- | drivers/net/wireless/bcmdhd/dhd_pno.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c index e10d7b308642..c2d796eee7aa 100644 --- a/drivers/net/wireless/bcmdhd/dhd_pno.c +++ b/drivers/net/wireless/bcmdhd/dhd_pno.c @@ -3667,11 +3667,32 @@ dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int { wl_bss_info_t *bi = (wl_bss_info_t *)data; wifi_gscan_full_result_t *result = NULL; - wl_event_gas_t *gas_data = (wl_event_gas_t *)((uint8 *)data + - bi->ie_offset + bi->ie_length); uint8 channel; uint32 mem_needed; struct timespec ts; + wl_event_gas_t *gas_data; + + if (!bi) { + DHD_ERROR(("%s: bi NULL.\n", __FUNCTION__)); + return NULL; + } + if ((bi->SSID_len > DOT11_MAX_SSID_LEN) || + (bi->ie_length > (*size - sizeof(wl_bss_info_t))) || + (bi->ie_offset < sizeof(wl_bss_info_t)) || + (bi->ie_offset > (sizeof(wl_bss_info_t) + bi->ie_length))) { + DHD_ERROR(("%s: tot:%d,SSID:%d,ie_len:%d,ie_off:%d\n", + __FUNCTION__, *size, bi->SSID_len, + bi->ie_length, bi->ie_offset)); + return NULL; + } + + gas_data = (wl_event_gas_t *)((uint8 *)data + bi->ie_offset + bi->ie_length); + + if (gas_data->data_len > (*size - (bi->ie_offset + bi->ie_length))) { + DHD_ERROR(("%s: wrong gas_data_len:%d\n", + __FUNCTION__, gas_data->data_len)); + return NULL; + } if (event == WLC_E_PFN_NET_FOUND) { mem_needed = OFFSETOF(wifi_gscan_full_result_t, ie_data) + bi->ie_length + |