diff options
author | Vinay Gannevaram <quic_vganneva@quicinc.com> | 2020-01-20 13:20:30 +0530 |
---|---|---|
committer | Sunil Ravi <sunilravi@google.com> | 2020-03-05 16:36:12 -0800 |
commit | 0ed8dbf042a7b00ad9efa10d1f6a945b1423682f (patch) | |
tree | 056c465e86693df2431769f5a68be6891874d8ac /qcwcn/wifi_hal | |
parent | 0a1b211537405d3a1d64ae9a1d6feee58262a41f (diff) | |
download | wlan-0ed8dbf042a7b00ad9efa10d1f6a945b1423682f.tar.gz |
qcwcn: Heap-buffer-overflow in register_monitor_sock() of wifi hal
This changes is to avoid the buffer-overflow in register_monitor_sock()
where "nreg->monsock" is getting filled with the data of length
"ctrl_msg->monsock_len" without the validation of length. Address this
issue by have a length check done before filling the buffer.
Bug: 149836664
Test: Manual - Basic wifi sanity test
CRs-Fixed: 2604404
Change-Id: I36b7ac274bd4f92eceabd5bd6534c73ae5a9ae73
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Diffstat (limited to 'qcwcn/wifi_hal')
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index cb770ee..61f7ee6 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1291,6 +1291,12 @@ static int register_monitor_sock(wifi_handle handle, wifihal_ctrl_req_t *ctrl_ms if(attach) { + if (ctrl_msg->monsock_len > sizeof(struct sockaddr_un)) + { + ALOGE("%s: Invalid monitor socket length \n", __FUNCTION__); + return -3; + } + nreg = (wifihal_mon_sock_t *)malloc(sizeof(*reg) + match_len); if (!nreg) return -1; |