qcacld-3.0: Check buff len alloc in __iw_set_packet_filter_params

In __iw_set_packet_filter_params(), a user controlled length value, priv_data.length, is used to allocated a buffer. This buffer is then cast to a struct pointer of struct pkt_filter_cfg type without ensuring the buffer is large enough to hold the struct. This can lead to a buffer overread if the user supplied size is smaller than the actual size of the struct. Add a sanity check on priv_data.length to ensure that the size is large enough to hold the struct. Change-Id: I227856484d4bd7a9b0a16a42e26febbc799f80b5 CRs-Fixed: 2228725
author: Sourav Mohapatra <mohapatr@codeaurora.org> 2018-04-23 12:19:53 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-05-09 06:21:47 -0700
commit: d47cb93001b2468bc9e6fbf105b65fbda759eb8e (patch)
tree: a207c73bddf68320db46ba303481ef976e7d3f53
parent: d40ca366811abd50176162009d640d217faccd10 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c
index b8141eb2cd5c..acef1f2637f4 100644
--- a/core/hdd/src/wlan_hdd_wext.c
+++ b/core/hdd/src/wlan_hdd_wext.c
@@ -11393,7 +11393,8 @@ static int __iw_set_packet_filter_params(struct net_device *dev,
 		return -EINVAL;
 	}
 
-	if ((NULL == priv_data.pointer) || (0 == priv_data.length)) {
+	if ((NULL == priv_data.pointer) || (0 == priv_data.length) ||
+	   priv_data.length < sizeof(struct pkt_filter_cfg)) {
 		hdd_err("invalid priv data %pK or invalid priv data length %d",
 			priv_data.pointer, priv_data.length);
 		return -EINVAL;
author	Sourav Mohapatra <mohapatr@codeaurora.org>	2018-04-23 12:19:53 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-05-09 06:21:47 -0700
commit	d47cb93001b2468bc9e6fbf105b65fbda759eb8e (patch)
tree	a207c73bddf68320db46ba303481ef976e7d3f53
parent	d40ca366811abd50176162009d640d217faccd10 (diff)