qcacld-2.0: Avoid buffer overflow

prima to qcacld-2.0 propagation. scnprintf returns the number of characters which are actually written in the buffer. Currently there is no check, while filling buffer. Hence, a situation might arise where the len is greater than the sizeof of buffer. Later, this buffer is copied to user space through api copy_to_user and since the len is greater than buffer size, buffer over-flow would occur. As a part of fix, make sure that buffer over write doesn't occur. Change-Id: I652979cb26fd7fff36ee54f9ec60132453ac7913 CRs-Fixed: 908252
author: Selvaraj, Sridhar <sselvara@codeaurora.org> 2016-10-06 15:05:38 +0530
committer: Anjaneedevi Kapparapu <akappa@codeaurora.org> 2016-10-07 11:34:08 +0530
commit: 733c2b94c7af0090beeb62195ee6855c9909f4fb (patch)
tree: d290fb84c25420564a0a69f3d58895bf5caa5d17
parent: 36556db51f4376cc22db3010d7ce6fc57420d38c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 52003973c068..34b95d6ce84e 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -5814,7 +5814,7 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
            [Number of roam scan channels][Channel1][Channel2]... */
            /* copy the number of channels in the 0th index */
            len = scnprintf(extra, sizeof(extra), "%s %d", command, numChannels);
-           for (j = 0; (j < numChannels); j++)
+           for (j = 0; (j < numChannels) && len <= sizeof(extra); j++)
            {
                len += scnprintf(extra + len, sizeof(extra) - len, " %d",
                        ChannelList[j]);
author	Selvaraj, Sridhar <sselvara@codeaurora.org>	2016-10-06 15:05:38 +0530
committer	Anjaneedevi Kapparapu <akappa@codeaurora.org>	2016-10-07 11:34:08 +0530
commit	733c2b94c7af0090beeb62195ee6855c9909f4fb (patch)
tree	d290fb84c25420564a0a69f3d58895bf5caa5d17
parent	36556db51f4376cc22db3010d7ce6fc57420d38c (diff)