Google Git
Sign in
android / kernel / mediatek / 70665a2f99f1d71238f338b3e6740fa753f4cd7e^! / .
commit70665a2f99f1d71238f338b3e6740fa753f4cd7e[log] [tgz]
authoryang-cy.chen <yang-cy.chen@mediatek.com>Thu Jan 14 10:57:45 2016 +0800
committerJin Qian <jinqian@google.com>Fri Jan 15 02:19:14 2016 +0000
tree63e67d80ff2da9bc0d6414fa325a443b7b868e5d
parentf029d0d424d327535f5c4f8a2af1c8e26a48adb3 [diff]
Fix "[Security Vulnerability]mt_wifi IOCTL_GET_STRUCT EOP" issue

Problem:
prNdisReq->ndisOidContent is in a static allocation of size 0x1000,
and prIwReqData->data.length is a usermode controlled unsigned short
,so the copy_from_user results in memory corruption.

Solution:
Add boundary protection to prevent buffer overflow

Bug num:26267358

Change-Id: I70f9d2affb9058e2e80b6b9f8278d538186283d3
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit 9c112c7344a2642a6e7ee29ee920900248a29e8a)

diff --git a/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
index fdd46e8..65ee356 100644
--- a/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
+++ b/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c

@@ -1680,6 +1680,7 @@
     UINT_32         u4BufLen = 0;
     PUINT_32        pu4IntBuf = NULL;
     int             status = 0;
+    UINT_32         u4CopyDataMax = 0;
 
     kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf));
 
@@ -1750,9 +1751,11 @@
         pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
         prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
 
-        if (copy_from_user(&prNdisReq->ndisOidContent[0],
-                prIwReqData->data.pointer,
-                prIwReqData->data.length)) {
+        u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent);
+        if ((prIwReqData->data.length>u4CopyDataMax)
+	    || copy_from_user(&prNdisReq->ndisOidContent[0],
+            prIwReqData->data.pointer,
+            prIwReqData->data.length)) {
             DBGLOG(REQ, INFO, ("priv_get_struct() copy_from_user oidBuf fail\n"));
             return -EFAULT;
         }