wlan: Address buffer overflow due to invalid length
This is a backport fix and the original patch from:
https://github.com/CyanogenMod/android_kernel_sony_msm8960t/commit/d58f1eacbdf55946ec7062ab6e4df462bf30ef32
"Check for valid length before copying the packet filter data from
userspace buffer to kernel space buffer to avoid buffer overflow
issue.". It's a device driver related bug and it can be exploited.
I've only tested it on Nexus 7 2013.
Signed-off-by: Shawn Chang <citypw@gmail.com>
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
index 964ed65..4f3db85 100644
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
@@ -5512,6 +5512,10 @@
hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d\n",
pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
+ if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+ (pRequest->paramsData[i].dataLength))
+ return -EINVAL;
+
memcpy(&packetFilterSetReq.paramsData[i].compareData,
pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
memcpy(&packetFilterSetReq.paramsData[i].dataMask,