DroidSec: Buffer Overflow in wcnss_wowpattern_write
In the function wcnss_wowpattern_write, buf and count are supplied
by the user.A local variable cmd is allocated on the stack.There is
a check to ensure that there cannot be an overflow.Later, count byte
s of data are copied from buf to the local variable cmd and cmd is
explicitly null terminated.However, if count is
MAX_USER_COMMAND_SIZE_WOWL_PATTERN, the check is bypassed and the
explicit null termination is a one byte stack-based buffer overflow.
Change-Id: Id1719b52f7a6f099f6eadc914fd609aa959f7b61
CRs-fixed: 548113
1 file changed