summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDustin Brown <dustinb@codeaurora.org>2018-04-19 16:24:23 -0700
committernshrivas <nshrivas@codeaurora.org>2018-04-20 17:11:13 -0700
commit524bcc918ef97fa784d6cb1f48372ab9b416db7e (patch)
tree944e5981a5750238dd5e46235fffc3b5ed23d44f
parentf304246ee7356622a7b0a260d7fa5f4dbc037987 (diff)
qcacld-3.0: Use total_len in drv_cmd_p2p_dev_addr()
Avoid userspace overwrite in drv_cmd_p2p_dev_addr() by intersecting the max output buffer size with the total length of the userspace buffer. This avoids the overwrite in cases where the allocated userspace buffer is smaller than the max output buffer size. Change-Id: I55c6d4b277e5964a7978daceffbe4eb72014c06d CRs-Fixed: 2222846
-rw-r--r--core/hdd/src/wlan_hdd_ioctl.c22
1 files changed, 10 insertions, 12 deletions
diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c
index 864701b0111c..46266d6cb49c 100644
--- a/core/hdd/src/wlan_hdd_ioctl.c
+++ b/core/hdd/src/wlan_hdd_ioctl.c
@@ -2900,25 +2900,23 @@ static int drv_cmd_p2p_dev_addr(hdd_adapter_t *adapter,
uint8_t command_len,
hdd_priv_data_t *priv_data)
{
- int ret = 0;
+ struct qdf_mac_addr *addr = &hdd_ctx->p2pDeviceAddress;
+ size_t user_size = QDF_MIN(sizeof(addr->bytes), priv_data->total_len);
MTRACE(qdf_trace(QDF_MODULE_ID_HDD,
TRACE_CODE_HDD_P2P_DEV_ADDR_IOCTL,
adapter->sessionId,
- (unsigned int)(*(hdd_ctx->p2pDeviceAddress.bytes + 2)
- << 24 | *(hdd_ctx->p2pDeviceAddress.bytes
- + 3) << 16 | *(hdd_ctx->
- p2pDeviceAddress.bytes + 4) << 8 |
- *(hdd_ctx->p2pDeviceAddress.bytes +
- 5))));
-
- if (copy_to_user(priv_data->buf, hdd_ctx->p2pDeviceAddress.bytes,
- sizeof(tSirMacAddr))) {
+ (unsigned int)(*(addr->bytes + 2) << 24 |
+ *(addr->bytes + 3) << 16 |
+ *(addr->bytes + 4) << 8 |
+ *(addr->bytes + 5))));
+
+ if (copy_to_user(priv_data->buf, addr->bytes, user_size)) {
hdd_err("failed to copy data to user buffer");
- ret = -EFAULT;
+ return -EFAULT;
}
- return ret;
+ return 0;
}
/**