DroidSec: Buffer Overflow in wcnss_wowpattern_write
In the function wcnss_wowpattern_write, buf and count are supplied
by the user.A local variable cmd is allocated on the stack.There is
a check to ensure that there cannot be an overflow.Later, count byte
s of data are copied from buf to the local variable cmd and cmd is
explicitly null terminated.However, if count is
MAX_USER_COMMAND_SIZE_WOWL_PATTERN, the check is bypassed and the
explicit null termination is a one byte stack-based buffer overflow.
Change-Id: Id1719b52f7a6f099f6eadc914fd609aa959f7b61
CRs-fixed: 548113
diff --git a/CORE/HDD/src/wlan_hdd_debugfs.c b/CORE/HDD/src/wlan_hdd_debugfs.c
index d24e94f..2b14379 100644
--- a/CORE/HDD/src/wlan_hdd_debugfs.c
+++ b/CORE/HDD/src/wlan_hdd_debugfs.c
@@ -62,8 +62,8 @@
return -EINVAL;
}
-
- if (count > MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
+ /*take count as ending into consideration*/
+ if (count >= MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
{
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: Command length is larger than %d bytes.",