diff options
| author | Dustin Brown <dustinb@codeaurora.org> | 2018-04-19 16:24:23 -0700 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-04-20 17:11:13 -0700 |
| commit | 524bcc918ef97fa784d6cb1f48372ab9b416db7e (patch) | |
| tree | 944e5981a5750238dd5e46235fffc3b5ed23d44f | |
| parent | f304246ee7356622a7b0a260d7fa5f4dbc037987 (diff) | |
qcacld-3.0: Use total_len in drv_cmd_p2p_dev_addr()
Avoid userspace overwrite in drv_cmd_p2p_dev_addr() by intersecting the
max output buffer size with the total length of the userspace buffer.
This avoids the overwrite in cases where the allocated userspace buffer
is smaller than the max output buffer size.
Change-Id: I55c6d4b277e5964a7978daceffbe4eb72014c06d
CRs-Fixed: 2222846
| -rw-r--r-- | core/hdd/src/wlan_hdd_ioctl.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c index 864701b0111c..46266d6cb49c 100644 --- a/core/hdd/src/wlan_hdd_ioctl.c +++ b/core/hdd/src/wlan_hdd_ioctl.c @@ -2900,25 +2900,23 @@ static int drv_cmd_p2p_dev_addr(hdd_adapter_t *adapter, uint8_t command_len, hdd_priv_data_t *priv_data) { - int ret = 0; + struct qdf_mac_addr *addr = &hdd_ctx->p2pDeviceAddress; + size_t user_size = QDF_MIN(sizeof(addr->bytes), priv_data->total_len); MTRACE(qdf_trace(QDF_MODULE_ID_HDD, TRACE_CODE_HDD_P2P_DEV_ADDR_IOCTL, adapter->sessionId, - (unsigned int)(*(hdd_ctx->p2pDeviceAddress.bytes + 2) - << 24 | *(hdd_ctx->p2pDeviceAddress.bytes - + 3) << 16 | *(hdd_ctx-> - p2pDeviceAddress.bytes + 4) << 8 | - *(hdd_ctx->p2pDeviceAddress.bytes + - 5)))); - - if (copy_to_user(priv_data->buf, hdd_ctx->p2pDeviceAddress.bytes, - sizeof(tSirMacAddr))) { + (unsigned int)(*(addr->bytes + 2) << 24 | + *(addr->bytes + 3) << 16 | + *(addr->bytes + 4) << 8 | + *(addr->bytes + 5)))); + + if (copy_to_user(priv_data->buf, addr->bytes, user_size)) { hdd_err("failed to copy data to user buffer"); - ret = -EFAULT; + return -EFAULT; } - return ret; + return 0; } /** |
