diff options
author | dataanddreams <dataanddreams@gmail.com> | 2015-12-01 10:57:28 -0500 |
---|---|---|
committer | Simon Shields <keepcalm444@gmail.com> | 2016-03-12 22:23:19 +1100 |
commit | c3f6d1154c2af856d66c6367f91bcb6efceced8a (patch) | |
tree | 5ea2e2588ac7d7c79b54d6a7b45d017b08976d3c | |
parent | b152bb944d40c369236e0d642f8296fdbacabfa2 (diff) | |
download | kernel_samsung_smdk4412-c3f6d1154c2af856d66c6367f91bcb6efceced8a.zip kernel_samsung_smdk4412-c3f6d1154c2af856d66c6367f91bcb6efceced8a.tar.gz kernel_samsung_smdk4412-c3f6d1154c2af856d66c6367f91bcb6efceced8a.tar.bz2 |
bcmdhd: Add checks for stack buffer overflows
These two checks prevent exploitable buffer overflows in two scenarios.
1. Long WPS_ID_DEVICE_NAME in WPS info elements
2. Invalid SSID determined in certain scan results
Bug: 25661991
Change-Id: Ie2f99897df2e4ce9fabcc03bb6091796777f95fa
-rw-r--r-- | drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c index e9dfcd0..5073913 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c +++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c @@ -1128,8 +1128,9 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc) WL_DBG((" attr WPS_ID_CONFIG_METHODS: %x\n", HTON16(val))); } else if (subelt_id == WPS_ID_DEVICE_NAME) { char devname[100]; - memcpy(devname, subel, subelt_len); - devname[subelt_len] = '\0'; + size_t namelen = MIN(subelt_len, sizeof(devname)); + memcpy(devname, subel, namelen); + devname[namelen-1] = '\0'; WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n", devname, subelt_len)); } else if (subelt_id == WPS_ID_DEVICE_PWD_ID) { @@ -9090,6 +9091,10 @@ wl_notify_sched_scan_results(struct bcm_cfg80211 *cfg, struct net_device *ndev, * scan request in the form of cfg80211_scan_request. For timebeing, create * cfg80211_scan_request one out of the received PNO event. */ + ssid[i].ssid_len = MIN(DOT11_MAX_SSID_LEN, netinfo->pfnsubnet.SSID_len); + memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID, ssid[i].ssid_len); + request->n_ssids++; + memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID, netinfo->pfnsubnet.SSID_len); ssid[i].ssid_len = netinfo->pfnsubnet.SSID_len; |