qcwcn: Heap-buffer-overflow in register_monitor_sock() of wifi hal am: 0ed8dbf042 am: 027a922c95 am: f3b9d7e9f2 am: d935c1f68b am: 41bb975a97 Change-Id: I353a1a5c884039ae88f4d68110bd0fd5f55ec709

commit: d565f565bf9d9128ade9c6f25cf4d4765b9d75a1 [log] [tgz]
author: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 10 02:36:04 2020 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Mar 10 02:36:04 2020 +0000
tree: 1d4b41fa17c48906cc6b40d0a64df3da2b1c892f
parent: 72812f3a8376dce293388bc1ddd1e515396840cc [diff]
parent: 41bb975a97a2e2858179fdd9463d70c582b03ff8 [diff]
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index 2a6a9e9..4576063 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp

@@ -1291,6 +1291,12 @@
 
     if(attach)
     {
+       if (ctrl_msg->monsock_len > sizeof(struct sockaddr_un))
+       {
+         ALOGE("%s: Invalid monitor socket length \n", __FUNCTION__);
+         return -3;
+       }
+
        nreg = (wifihal_mon_sock_t *)malloc(sizeof(*reg) + match_len);
         if (!nreg)
            return -1;
commit	d565f565bf9d9128ade9c6f25cf4d4765b9d75a1	[log] [tgz]
author	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Mar 10 02:36:04 2020 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Tue Mar 10 02:36:04 2020 +0000
tree	1d4b41fa17c48906cc6b40d0a64df3da2b1c892f
parent	72812f3a8376dce293388bc1ddd1e515396840cc [diff]
parent	41bb975a97a2e2858179fdd9463d70c582b03ff8 [diff]