diff options
author | dataanddreams <dataanddreams@gmail.com> | 2015-12-01 10:57:28 -0500 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-03-18 01:51:05 +0100 |
commit | 4c35eb21cf8b9b700e85562074c44aeb9952d897 (patch) | |
tree | 203d028e469233c4b8fafa8db546e672e07af76a | |
parent | f1ac000fe82294b4f778158cc3c3e2bc768b230a (diff) | |
download | kernel_samsung_smdk4412-4c35eb21cf8b9b700e85562074c44aeb9952d897.zip kernel_samsung_smdk4412-4c35eb21cf8b9b700e85562074c44aeb9952d897.tar.gz kernel_samsung_smdk4412-4c35eb21cf8b9b700e85562074c44aeb9952d897.tar.bz2 |
bcmdhd: Add checks for stack buffer overflows
These two checks prevent exploitable buffer overflows in two scenarios.
1. Long WPS_ID_DEVICE_NAME in WPS info elements
2. Invalid SSID determined in certain scan results
Bug: 25661991
Change-Id: Ie2f99897df2e4ce9fabcc03bb6091796777f95fa
-rw-r--r-- | drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c index e9dfcd0..5073913 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c +++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c @@ -1128,8 +1128,9 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc) WL_DBG((" attr WPS_ID_CONFIG_METHODS: %x\n", HTON16(val))); } else if (subelt_id == WPS_ID_DEVICE_NAME) { char devname[100]; - memcpy(devname, subel, subelt_len); - devname[subelt_len] = '\0'; + size_t namelen = MIN(subelt_len, sizeof(devname)); + memcpy(devname, subel, namelen); + devname[namelen-1] = '\0'; WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n", devname, subelt_len)); } else if (subelt_id == WPS_ID_DEVICE_PWD_ID) { @@ -9090,6 +9091,10 @@ wl_notify_sched_scan_results(struct bcm_cfg80211 *cfg, struct net_device *ndev, * scan request in the form of cfg80211_scan_request. For timebeing, create * cfg80211_scan_request one out of the received PNO event. */ + ssid[i].ssid_len = MIN(DOT11_MAX_SSID_LEN, netinfo->pfnsubnet.SSID_len); + memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID, ssid[i].ssid_len); + request->n_ssids++; + memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID, netinfo->pfnsubnet.SSID_len); ssid[i].ssid_len = netinfo->pfnsubnet.SSID_len; |