diff options
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 02:07:02 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 02:07:02 +0000 |
commit | a6cd43e06d3986331237994383b17ec054b98a87 (patch) | |
tree | 1d4b41fa17c48906cc6b40d0a64df3da2b1c892f | |
parent | b5443ba1ef2fc22fa25d1fdd321bb21d1e204c52 (diff) | |
parent | 2617c225e7ee56b27608cf75f8ec3244c54f02fc (diff) | |
download | wlan-a6cd43e06d3986331237994383b17ec054b98a87.tar.gz |
qcwcn: Heap-buffer-overflow in register_monitor_sock() of wifi hal am: 0ed8dbf042 am: 027a922c95 am: 2617c225e7
Change-Id: I1a205d117808be5d1b77e47a1b327d454e34b3d4
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 2a6a9e9..4576063 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1291,6 +1291,12 @@ static int register_monitor_sock(wifi_handle handle, wifihal_ctrl_req_t *ctrl_ms if(attach) { + if (ctrl_msg->monsock_len > sizeof(struct sockaddr_un)) + { + ALOGE("%s: Invalid monitor socket length \n", __FUNCTION__); + return -3; + } + nreg = (wifihal_mon_sock_t *)malloc(sizeof(*reg) + match_len); if (!nreg) return -1; |