Fix OOB write possible when len equals sizeof array
service_specific_info_len sets as serviceSpecificInfo.size()
In case of the len equals sizeof(service_specific_info), OOB write possible.
Bug: 261857623
Test: tested with poc program
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
Change-Id: Ifdaaf475555fd4c9836758d2e804fcee4f822a89
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp
index 2f0008e..2dadaf8 100755
--- a/bcmdhd/wifi_hal/nan.cpp
+++ b/bcmdhd/wifi_hal/nan.cpp
@@ -1386,6 +1386,8 @@
}
if (mParams->service_specific_info_len > 0) {
+ u16 len = min(mParams->service_specific_info_len,
+ sizeof(mParams->service_specific_info) - 1);
result = request.put_u16(NAN_ATTRIBUTE_SERVICE_SPECIFIC_INFO_LEN,
mParams->service_specific_info_len);
if (result < 0) {
@@ -1400,7 +1402,7 @@
ALOGE("%s: Failed to put svc info, result = %d", __func__, result);
return result;
}
- mParams->service_specific_info[mParams->service_specific_info_len] = '\0';
+ mParams->service_specific_info[len] = '\0';
ALOGI("Transmit service info string is %s\n", mParams->service_specific_info);
}
