qcacld-2.0: Fix buffer overwrite problem in GETROAMSCANCHANNELMINTIME

If (len + 1) is greater than priv_data.total_len then copy_to_user results in writing more data than the buffer can hold. Fix this by writing mininum of (len + 1) and priv_data.total_len. Change-Id: Ic7a76773875ed60d1c37498e25d3ee3f5650fcb8 CRs-Fixed: 865561
author: Srinivas Girigowda <sgirigow@qca.qualcomm.com> 2015-07-07 13:28:38 -0700
committer: Anjaneedevi Kapparapu <akappa@codeaurora.org> 2015-07-10 20:33:30 +0530
commit: 3bd6903e2b05f05cfbe3ef5a3241577c8c4c682d (patch)
tree: a45fe216c92194bb4a9fe62d33c00b6d8fc7a575
parent: f5e901a98d2d8ed65a33db469e5304cf0d1f44e4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index c8177183a4ad..ae7934fd6ed4 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -4631,8 +4631,8 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
            MTRACE(vos_trace(VOS_MODULE_ID_HDD,
                             TRACE_CODE_HDD_GETROAMSCANCHANNELMINTIME_IOCTL,
                             pAdapter->sessionId, val));
-           if (copy_to_user(priv_data.buf, &extra, len + 1))
-           {
+           len = VOS_MIN(priv_data.total_len, len + 1);
+           if (copy_to_user(priv_data.buf, &extra, len)) {
                VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
                   "%s: failed to copy data to user buffer", __func__);
                ret = -EFAULT;
author	Srinivas Girigowda <sgirigow@qca.qualcomm.com>	2015-07-07 13:28:38 -0700
committer	Anjaneedevi Kapparapu <akappa@codeaurora.org>	2015-07-10 20:33:30 +0530
commit	3bd6903e2b05f05cfbe3ef5a3241577c8c4c682d (patch)
tree	a45fe216c92194bb4a9fe62d33c00b6d8fc7a575
parent	f5e901a98d2d8ed65a33db469e5304cf0d1f44e4 (diff)