qcacmn: Do not copy buffer to user-space if diag read fails

ATH diag procfs read is copying read_buffer to user space unconditionally, causing kernel heap information leak of uninitialized read_buffer if hif diag read fails. Do not copy buffer to user space if diag read fails to avoid information leak to user space. Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f CRs-Fixed: 1104731
author: Govind Singh <govinds@codeaurora.org> 2017-02-03 11:12:30 +0530
committer: qcabuildsw <qcabuildsw@localhost> 2017-02-07 13:48:36 -0800
commit: 610a6771c0155822a0bd7e42ab2f5cdc80c65fca (patch)
tree: 687d5fa043d888c4a3df591beb5ce631feee3d95
parent: 7b7a8bbbbdf554308a874ce036380f59478a3a2c (diff)
1 files changed, 4 insertions, 6 deletions
diff --git a/hif/src/ath_procfs.c b/hif/src/ath_procfs.c
index 0a19c65eaa58..f1cb6f06fd31 100644
--- a/hif/src/ath_procfs.c
+++ b/hif/src/ath_procfs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2014, 2016-2017 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -104,6 +104,8 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
 	}
 
 out:
+	if (rv)
+		return -EIO;
 
 	if (copy_to_user(buf, read_buffer, count)) {
 		qdf_mem_free(read_buffer);
@@ -113,11 +115,7 @@ out:
 	} else
 		qdf_mem_free(read_buffer);
 
-	if (rv == 0) {
-		return count;
-	} else {
-		return -EIO;
-	}
+	return count;
 }
 
 static ssize_t ath_procfs_diag_write(struct file *file,
author	Govind Singh <govinds@codeaurora.org>	2017-02-03 11:12:30 +0530
committer	qcabuildsw <qcabuildsw@localhost>	2017-02-07 13:48:36 -0800
commit	610a6771c0155822a0bd7e42ab2f5cdc80c65fca (patch)
tree	687d5fa043d888c4a3df591beb5ce631feee3d95
parent	7b7a8bbbbdf554308a874ce036380f59478a3a2c (diff)