diff options
| author | Min Liu <minliu@codeaurora.org> | 2018-03-29 14:30:24 +0800 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-04-03 11:12:37 -0700 |
| commit | a6f678e934066ebb3ed2c4f51b4ea7cbd7e1cd55 (patch) | |
| tree | 15f86dcfd4b00965b2ab3ca922fca52d9b87105a | |
| parent | 0218cb4ba0baa1b6bec826c068b617368f0def63 (diff) | |
qcacld-3.0: Add string length validation
qcacld-2.0 to qcacld-3.0 propagation
In hdd_parse_get_ibss_peer_info(), issue is reported by external
researcher that lack of string length validation might lead to
out-of-bounds read.
Related string length validation is added accordingly.
Change-Id: I32304404b2bab9011fa67316b77f6d37bb39df2d
CRs-Fixed: 2214899
| -rw-r--r-- | core/hdd/src/wlan_hdd_ioctl.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c index a08cf59325ce..3cbd92566d33 100644 --- a/core/hdd/src/wlan_hdd_ioctl.c +++ b/core/hdd/src/wlan_hdd_ioctl.c @@ -566,8 +566,9 @@ static QDF_STATUS hdd_parse_get_ibss_peer_info(uint8_t *pValue, struct qdf_mac_addr *pPeerMacAddr) { uint8_t *inPtr = pValue; + size_t in_ptr_len = strlen(pValue); - inPtr = strnchr(pValue, strlen(pValue), SPACE_ASCII_VALUE); + inPtr = strnchr(pValue, in_ptr_len, SPACE_ASCII_VALUE); if (NULL == inPtr) return QDF_STATUS_E_FAILURE; @@ -580,10 +581,14 @@ hdd_parse_get_ibss_peer_info(uint8_t *pValue, struct qdf_mac_addr *pPeerMacAddr) if ('\0' == *inPtr) return QDF_STATUS_E_FAILURE; + in_ptr_len -= (inPtr - pValue); + if (in_ptr_len < 17) + return QDF_STATUS_E_FAILURE; + if (inPtr[2] != ':' || inPtr[5] != ':' || inPtr[8] != ':' || - inPtr[11] != ':' || inPtr[14] != ':') { + inPtr[11] != ':' || inPtr[14] != ':') return QDF_STATUS_E_FAILURE; - } + sscanf(inPtr, "%2x:%2x:%2x:%2x:%2x:%2x", (unsigned int *)&pPeerMacAddr->bytes[0], (unsigned int *)&pPeerMacAddr->bytes[1], |
