Prima: Fix buffer overwrite problem in GETDWELLTIME
qcacld-2.0 to prima propagation
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len
Change-Id: Id52e85bd6b271dea4324f4e17d6f2aba0a9ecdbf
CRs-Fixed: 865510
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index d50d5c5..db92c10 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -3928,8 +3928,8 @@
memset(extra, 0, sizeof(extra));
ret = hdd_get_dwell_time(pCfg, command, extra, sizeof(extra), &len);
- if (ret != 0 || copy_to_user(priv_data.buf, &extra, len + 1))
- {
+ len = VOS_MIN(priv_data.total_len, len + 1);
+ if (ret != 0 || copy_to_user(priv_data.buf, &extra, len)) {
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: failed to copy data to user buffer", __func__);
ret = -EFAULT;