commit 3fd84787507fc3ce3680043e7f4346b5586f2a40
author Wilson Yang <c_yangw@qca.qualcomm.com> Tue Oct 01 12:29:55 2013 -0700
committer Madan Mohan Koyyalamudi <mkoyya@qca.qualcomm.com> Wed Oct 02 23:25:12 2013 -0700
tree 89ec3c7a5b2a63667a3a5b855e2d5aba13f8a715
parent f537cad538dda7ebe9fc356be7f0036e541960ed

DroidSec: Buffer Overflow in wcnss_wowpattern_write

In the function wcnss_wowpattern_write, buf and count are supplied
by the user.A local variable cmd is allocated on the stack.There is
a check to ensure that there cannot be an overflow.Later, count byte
s of data are copied from buf to the local variable cmd and cmd is
explicitly null terminated.However, if count is
MAX_USER_COMMAND_SIZE_WOWL_PATTERN, the check is bypassed and the
explicit null termination is a one byte stack-based buffer overflow.

Change-Id: Id1719b52f7a6f099f6eadc914fd609aa959f7b61
CRs-fixed: 548113