wlan: Add buf len check in wlan_hdd_cfg80211_testmode In __wlan_hdd_cfg80211_testmode API no checks are in place that ensure that buflen is smaller or equal the size of the stack variable hb_params. Hence, the vos_mem_copy() call can overflow stack memory. Add buf len check to avoid stack overflow. CRs-Fixed: 1105085 Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c

commit: 3c57744646d8df20197a395fe8e8e953e10c4b46 [log] [tgz]
author: Manjeet Singh <manjee@codeaurora.org> Fri Feb 10 19:03:38 2017 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Mon Feb 20 09:21:39 2017 -0800
tree: f5890db49e52a5f8a11e81430ed1a1f2afa11dad
parent: b8c53aac886e58b7a44c98dcb3e38977f18fdf28 [diff] [blame]
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 71365ea..d58daae 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c

@@ -20059,6 +20059,12 @@
             buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
             buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
 
+            if (buf_len > sizeof(*hb_params)) {
+                hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
+                       buf_len);
+                return -ERANGE;
+            }
+
             hb_params_temp =(tSirLPHBReq *)buf;
             if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) &&
                 (hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
commit	3c57744646d8df20197a395fe8e8e953e10c4b46	[log] [tgz]
author	Manjeet Singh <manjee@codeaurora.org>	Fri Feb 10 19:03:38 2017 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Mon Feb 20 09:21:39 2017 -0800
tree	f5890db49e52a5f8a11e81430ed1a1f2afa11dad
parent	b8c53aac886e58b7a44c98dcb3e38977f18fdf28 [diff] [blame]