DroidSec: Buffer Overflow in wcnss_wowpattern_write In the function wcnss_wowpattern_write, buf and count are supplied by the user.A local variable cmd is allocated on the stack.There is a check to ensure that there cannot be an overflow.Later, count byte s of data are copied from buf to the local variable cmd and cmd is explicitly null terminated.However, if count is MAX_USER_COMMAND_SIZE_WOWL_PATTERN, the check is bypassed and the explicit null termination is a one byte stack-based buffer overflow. Change-Id: Id1719b52f7a6f099f6eadc914fd609aa959f7b61 CRs-fixed: 548113

commit: 3fd84787507fc3ce3680043e7f4346b5586f2a40 [log] [tgz]
author: Wilson Yang <c_yangw@qca.qualcomm.com> Tue Oct 01 12:29:55 2013 -0700
committer: Madan Mohan Koyyalamudi <mkoyya@qca.qualcomm.com> Wed Oct 02 23:25:12 2013 -0700
tree: 89ec3c7a5b2a63667a3a5b855e2d5aba13f8a715
parent: f537cad538dda7ebe9fc356be7f0036e541960ed [diff]
diff --git a/CORE/HDD/src/wlan_hdd_debugfs.c b/CORE/HDD/src/wlan_hdd_debugfs.c
index d24e94f..2b14379 100644
--- a/CORE/HDD/src/wlan_hdd_debugfs.c
+++ b/CORE/HDD/src/wlan_hdd_debugfs.c

@@ -62,8 +62,8 @@
 
         return -EINVAL;
     }
-
-    if (count > MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
+    /*take count as ending  into consideration*/
+    if (count >=  MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
     {
         VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
                    "%s: Command length is larger than %d bytes.",
commit	3fd84787507fc3ce3680043e7f4346b5586f2a40	[log] [tgz]
author	Wilson Yang <c_yangw@qca.qualcomm.com>	Tue Oct 01 12:29:55 2013 -0700
committer	Madan Mohan Koyyalamudi <mkoyya@qca.qualcomm.com>	Wed Oct 02 23:25:12 2013 -0700
tree	89ec3c7a5b2a63667a3a5b855e2d5aba13f8a715
parent	f537cad538dda7ebe9fc356be7f0036e541960ed [diff]