Google Git
Sign in
android / kernel / mediatek / 70665a2f99f1d71238f338b3e6740fa753f4cd7e
commit70665a2f99f1d71238f338b3e6740fa753f4cd7e[log] [tgz]
authoryang-cy.chen <yang-cy.chen@mediatek.com>Thu Jan 14 10:57:45 2016 +0800
committerJin Qian <jinqian@google.com>Fri Jan 15 02:19:14 2016 +0000
tree63e67d80ff2da9bc0d6414fa325a443b7b868e5d
parentf029d0d424d327535f5c4f8a2af1c8e26a48adb3 [diff]
Fix "[Security Vulnerability]mt_wifi IOCTL_GET_STRUCT EOP" issue

Problem:
prNdisReq->ndisOidContent is in a static allocation of size 0x1000,
and prIwReqData->data.length is a usermode controlled unsigned short
,so the copy_from_user results in memory corruption.

Solution:
Add boundary protection to prevent buffer overflow

Bug num:26267358

Change-Id: I70f9d2affb9058e2e80b6b9f8278d538186283d3
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit 9c112c7344a2642a6e7ee29ee920900248a29e8a)
1 file changed
tree: 63e67d80ff2da9bc0d6414fa325a443b7b868e5d
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. Android.mk
  26. build.config
  27. build.config.svelte
  28. build.sh
  29. CleanSpec.mk
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README
  37. REPORTING-BUGS