Fix "[Security Vulnerability]mt_wifi IOCTL_GET_STRUCT EOP" issue
Problem:
prNdisReq->ndisOidContent is in a static allocation of size 0x1000,
and prIwReqData->data.length is a usermode controlled unsigned short
,so the copy_from_user results in memory corruption.
Solution:
Add boundary protection to prevent buffer overflow
Bug num:26267358
Change-Id: I70f9d2affb9058e2e80b6b9f8278d538186283d3
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit 9c112c7344a2642a6e7ee29ee920900248a29e8a)
diff --git a/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
index fdd46e8..65ee356 100644
--- a/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
+++ b/drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
@@ -1680,6 +1680,7 @@
UINT_32 u4BufLen = 0;
PUINT_32 pu4IntBuf = NULL;
int status = 0;
+ UINT_32 u4CopyDataMax = 0;
kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf));
@@ -1750,9 +1751,11 @@
pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
- if (copy_from_user(&prNdisReq->ndisOidContent[0],
- prIwReqData->data.pointer,
- prIwReqData->data.length)) {
+ u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent);
+ if ((prIwReqData->data.length>u4CopyDataMax)
+ || copy_from_user(&prNdisReq->ndisOidContent[0],
+ prIwReqData->data.pointer,
+ prIwReqData->data.length)) {
DBGLOG(REQ, INFO, ("priv_get_struct() copy_from_user oidBuf fail\n"));
return -EFAULT;
}