diff options
| author | Dundi Raviteja <dundi@codeaurora.org> | 2018-06-15 16:18:55 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-06-18 06:52:39 -0700 |
| commit | c1035be3ab5a72593cb5197e9d6c7ebe4ac63369 (patch) | |
| tree | b6b685b7c5a3a6f542e2bb57102a239544afa956 | |
| parent | 1b515f4b0a966137b404affdb95fa73c04e75278 (diff) | |
qcacld-3.0: Fix OOB access in hdd_hostapd_inactivity_timer_cb()
In function hdd_hostapd_inactivity_timer_cb(), copying data to
we_custom_event buffer without checking the source buffer length,
this may lead to out of buffer access.
To address this issue, add a check for the event length against
the size of we_custom_event buffer.
Change-Id: I9ba5b79e71f2f673e5b9e78e830bf29479b45a7b
CRs-Fixed: 2260108
| -rw-r--r-- | core/hdd/src/wlan_hdd_hostapd.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c index 02e1aa1f487a..474c7fd7935c 100644 --- a/core/hdd/src/wlan_hdd_hostapd.c +++ b/core/hdd/src/wlan_hdd_hostapd.c @@ -670,6 +670,10 @@ static void hdd_hostapd_inactivity_timer_cb(void *context) return; } #endif /* DISABLE_CONCURRENCY_AUTOSAVE */ + if (event_len > sizeof(we_custom_event)) { + hdd_err("Event len exceeds event buffer size: %d", event_len); + return; + } memset(&we_custom_event, '\0', sizeof(we_custom_event)); memcpy(&we_custom_event, autoShutEvent, event_len); |