wlan: Add buf len check in wlan_hdd_cfg80211_testmode
In __wlan_hdd_cfg80211_testmode API no checks are in place that
ensure that buflen is smaller or equal the size of the stack
variable hb_params. Hence, the vos_mem_copy() call can overflow
stack memory.
Add buf len check to avoid stack overflow.
CRs-Fixed: 1105085
Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 71365ea..d58daae 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -20059,6 +20059,12 @@
buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
+ if (buf_len > sizeof(*hb_params)) {
+ hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
+ buf_len);
+ return -ERANGE;
+ }
+
hb_params_temp =(tSirLPHBReq *)buf;
if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) &&
(hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))