qcwcn: Heap-buffer-overflow in register_monitor_sock() of wifi hal

This changes is to avoid the buffer-overflow in register_monitor_sock() where "nreg->monsock" is getting filled with the data of length "ctrl_msg->monsock_len" without the validation of length. Address this issue by have a length check done before filling the buffer. Bug: 149836664 Test: Manual - Basic wifi sanity test CRs-Fixed: 2604404 Change-Id: I36b7ac274bd4f92eceabd5bd6534c73ae5a9ae73 Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
author: Vinay Gannevaram <quic_vganneva@quicinc.com> 2020-01-20 13:20:30 +0530
committer: Sunil Ravi <sunilravi@google.com> 2020-03-05 16:36:12 -0800
commit: 0ed8dbf042a7b00ad9efa10d1f6a945b1423682f (patch)
tree: 056c465e86693df2431769f5a68be6891874d8ac /qcwcn/wifi_hal
parent: 0a1b211537405d3a1d64ae9a1d6feee58262a41f (diff)
download: wlan-0ed8dbf042a7b00ad9efa10d1f6a945b1423682f.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index cb770ee..61f7ee6 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1291,6 +1291,12 @@ static int register_monitor_sock(wifi_handle handle, wifihal_ctrl_req_t *ctrl_ms
 
     if(attach)
     {
+       if (ctrl_msg->monsock_len > sizeof(struct sockaddr_un))
+       {
+         ALOGE("%s: Invalid monitor socket length \n", __FUNCTION__);
+         return -3;
+       }
+
        nreg = (wifihal_mon_sock_t *)malloc(sizeof(*reg) + match_len);
         if (!nreg)
            return -1;
author	Vinay Gannevaram <quic_vganneva@quicinc.com>	2020-01-20 13:20:30 +0530
committer	Sunil Ravi <sunilravi@google.com>	2020-03-05 16:36:12 -0800
commit	0ed8dbf042a7b00ad9efa10d1f6a945b1423682f (patch)
tree	056c465e86693df2431769f5a68be6891874d8ac /qcwcn/wifi_hal
parent	0a1b211537405d3a1d64ae9a1d6feee58262a41f (diff)
download	wlan-0ed8dbf042a7b00ad9efa10d1f6a945b1423682f.tar.gz