qcacld-2.0: Add buf len check in wlan_hdd_cfg80211_testmode

In __wlan_hdd_cfg80211_testmode API no checks are in place that ensure that buflen is smaller or equal the size of the stack variable hb_params. Hence, the vos_mem_copy() call can overflow stack memory. Add buf len check to avoid stack overflow CRs-Fixed: 1105085 Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
author: Manjeet Singh <manjee@codeaurora.org> 2016-12-27 17:48:37 +0530
committer: Ashish kumar goswami <agoswa@codeaurora.org> 2017-01-04 18:17:13 +0530
commit: 29c4ddb447b2d49409a9d0b93631f84a9d2e922e (patch)
tree: 29616640458089770b816eaf08c6b8d44dccbcf6
parent: ffbb3cd77c790e797d14cfbabfaae8ddb6153a55 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 1ad4ef2396fc..54605a2a4e81 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -26336,6 +26336,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
                 (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
                 return -EINVAL;
 
+            if (buf_len > sizeof(*hb_params)) {
+                hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
+                       buf_len);
+                return -ERANGE;
+            }
+
             hb_params = (tSirLPHBReq *)vos_mem_malloc(sizeof(tSirLPHBReq));
             if (NULL == hb_params) {
                 hddLog(LOGE, FL("Request Buffer Alloc Fail"));
author	Manjeet Singh <manjee@codeaurora.org>	2016-12-27 17:48:37 +0530
committer	Ashish kumar goswami <agoswa@codeaurora.org>	2017-01-04 18:17:13 +0530
commit	29c4ddb447b2d49409a9d0b93631f84a9d2e922e (patch)
tree	29616640458089770b816eaf08c6b8d44dccbcf6
parent	ffbb3cd77c790e797d14cfbabfaae8ddb6153a55 (diff)