Google Git
Sign in
android / kernel / msm / 15c8afebed947b30370095cbb7de6257891a3971^! / .
commit15c8afebed947b30370095cbb7de6257891a3971[log] [tgz]
authorShawn Chang <citypw@gmail.com>Thu Jan 21 17:36:58 2016 +0800
committerShawn Chang <citypw@gmail.com>Thu Jan 21 17:36:58 2016 +0800
tree4dc27a419f6dd8b8d4ea336beab9a766b49a863b
parent8ccbf6c7182d41a9e969d32a63a438943245c417 [diff]
	wlan: Address buffer overflow due to invalid length

	This is a backport fix and the original patch from:
	https://github.com/CyanogenMod/android_kernel_sony_msm8960t/commit/d58f1eacbdf55946ec7062ab6e4df462bf30ef32

	"Check for valid length before copying the packet filter data from
	userspace buffer to kernel space buffer to avoid buffer overflow
	issue.". It's a device driver related bug and it can be exploited.
	I've only tested it on Nexus 7 2013.

Signed-off-by: Shawn Chang <citypw@gmail.com>

diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
index 964ed65..4f3db85 100644
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c

@@ -5512,6 +5512,10 @@
                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d\n",
                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
 
+                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+                    (pRequest->paramsData[i].dataLength))
+                    return -EINVAL;
+
                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
                 memcpy(&packetFilterSetReq.paramsData[i].dataMask,