DroidSec: Input not checked in function wlan_ftm_priv_set_mac_address
Input string buf is unvalidated user input passed in from
iw_ftm_setchar_getnone, a private ftm sub-ioctl function.
The string was copied from user space by the IOCTL dispatcher,
but its contents were not previously validated. buf is parsed
by sscanf to get a MAC address but the return value from sscanf
is not checked to verify that a properly formatted string was input.
The unvalidated parsed values are then sent to the WLAN module.
Change-Id: Ia9b10c3d30a05eeb69e5496bebf4a1e899f167a8
CRs-fixed: 553483
diff --git a/CORE/HDD/src/wlan_hdd_ftm.c b/CORE/HDD/src/wlan_hdd_ftm.c
index fef4a8c..4d50e79 100644
--- a/CORE/HDD/src/wlan_hdd_ftm.c
+++ b/CORE/HDD/src/wlan_hdd_ftm.c
@@ -4187,7 +4187,12 @@
pMsgBody->SetNvField.nvField = NV_COMMON_MAC_ADDR;
/*We get the mac address in string format "XX:XX:XX:XX:XX:XX" convert to hex*/
- sscanf(buf,"%02x:%02x:%02x:%02x:%02x:%02x",&macAddr[0],(int*)&macAddr[1],(int*)&macAddr[2],(int*)&macAddr[3],(int*)&macAddr[4],(int*)&macAddr[5]);
+ if (6 != sscanf(buf,"%02x:%02x:%02x:%02x:%02x:%02x",&macAddr[0],(int*)&macAddr[1],(int*)&macAddr[2],(int*)&macAddr[3],(int*)&macAddr[4],(int*)&macAddr[5]))
+ {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ "Invalid MacAddress Input %s", buf);
+ return VOS_STATUS_E_FAILURE;
+ }
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH, "MacAddress = %02x:%02x:%02x:%02x:%02x:%02x",MAC_ADDR_ARRAY(macAddr));