wlan: Static source code analysis fixes for HDD
Fix a potential buffer overflow bug which may happen when we try to write
the zero terminator to the end of an array.
Also we should use copy_from_user() to perform deep copies of the data that
wrqu->data.pointer references from IOCTL interface.
Change-Id: I9e5bfe6acde10b43f810981c57aa526b1ed0333a
CRs-fixed: 554890, 561023
diff --git a/CORE/HDD/src/wlan_hdd_debugfs.c b/CORE/HDD/src/wlan_hdd_debugfs.c
index 9d36ff4..cc2c620 100644
--- a/CORE/HDD/src/wlan_hdd_debugfs.c
+++ b/CORE/HDD/src/wlan_hdd_debugfs.c
@@ -39,7 +39,7 @@
{
hdd_adapter_t *pAdapter = (hdd_adapter_t *)file->private_data;
- char cmd[MAX_USER_COMMAND_SIZE_WOWL_PATTERN];
+ char cmd[MAX_USER_COMMAND_SIZE_WOWL_PATTERN + 1];
char *sptr, *token;
v_U8_t pattern_idx = 0;
v_U8_t pattern_offset = 0;
@@ -62,8 +62,8 @@
return -EINVAL;
}
- /*take count as ending into consideration*/
- if (count >= MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
+
+ if (count > MAX_USER_COMMAND_SIZE_WOWL_PATTERN)
{
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: Command length is larger than %d bytes.",
@@ -150,7 +150,7 @@
/* Get command from user */
if (count < MAX_USER_COMMAND_SIZE_FRAME)
- cmd = vos_mem_malloc(count);
+ cmd = vos_mem_malloc(count + 1);
else
{
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,