From 524bcc918ef97fa784d6cb1f48372ab9b416db7e Mon Sep 17 00:00:00 2001 From: Dustin Brown Date: Thu, 19 Apr 2018 16:24:23 -0700 Subject: qcacld-3.0: Use total_len in drv_cmd_p2p_dev_addr() Avoid userspace overwrite in drv_cmd_p2p_dev_addr() by intersecting the max output buffer size with the total length of the userspace buffer. This avoids the overwrite in cases where the allocated userspace buffer is smaller than the max output buffer size. Change-Id: I55c6d4b277e5964a7978daceffbe4eb72014c06d CRs-Fixed: 2222846 --- core/hdd/src/wlan_hdd_ioctl.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c index 864701b0111c..46266d6cb49c 100644 --- a/core/hdd/src/wlan_hdd_ioctl.c +++ b/core/hdd/src/wlan_hdd_ioctl.c @@ -2900,25 +2900,23 @@ static int drv_cmd_p2p_dev_addr(hdd_adapter_t *adapter, uint8_t command_len, hdd_priv_data_t *priv_data) { - int ret = 0; + struct qdf_mac_addr *addr = &hdd_ctx->p2pDeviceAddress; + size_t user_size = QDF_MIN(sizeof(addr->bytes), priv_data->total_len); MTRACE(qdf_trace(QDF_MODULE_ID_HDD, TRACE_CODE_HDD_P2P_DEV_ADDR_IOCTL, adapter->sessionId, - (unsigned int)(*(hdd_ctx->p2pDeviceAddress.bytes + 2) - << 24 | *(hdd_ctx->p2pDeviceAddress.bytes - + 3) << 16 | *(hdd_ctx-> - p2pDeviceAddress.bytes + 4) << 8 | - *(hdd_ctx->p2pDeviceAddress.bytes + - 5)))); - - if (copy_to_user(priv_data->buf, hdd_ctx->p2pDeviceAddress.bytes, - sizeof(tSirMacAddr))) { + (unsigned int)(*(addr->bytes + 2) << 24 | + *(addr->bytes + 3) << 16 | + *(addr->bytes + 4) << 8 | + *(addr->bytes + 5)))); + + if (copy_to_user(priv_data->buf, addr->bytes, user_size)) { hdd_err("failed to copy data to user buffer"); - ret = -EFAULT; + return -EFAULT; } - return ret; + return 0; } /** -- cgit v1.2.3