wlan: Memory overflow and corruption in ftm test
In CR561019,for avoiding malicious user input memory holding user
argumenets is zeroed out from the end of user input to a maximum
bound,but it may erase other user arguments in this segments. To
resolve this issue,only a maximum bound has been assigned to user
input parameters.
Change-Id: I413843f4943157afa67dd624e848ceafb24cb9af
CRs-fixed: 591712
diff --git a/CORE/HDD/src/wlan_hdd_ftm.c b/CORE/HDD/src/wlan_hdd_ftm.c
index 38af33e..d3f4346 100644
--- a/CORE/HDD/src/wlan_hdd_ftm.c
+++ b/CORE/HDD/src/wlan_hdd_ftm.c
@@ -4562,12 +4562,17 @@
sub_cmd = wrqu->data.flags;
pAdapter = (hdd_adapter_t *)netdev_priv(dev);
- /*we can only accept input falling between 1 and length bytes,
+ /*we can only accept input length bytes at most less than 512,
*and ensure extra is null delimited string
*/
- if (wrqu->data.length>=512)
- return -EINVAL;
- vos_mem_zero(extra + length,512 - length);
+ if (length>=512)
+ {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+ "%s: Received command out of bound %s", __func__, extra);
+ return -EINVAL;
+ }
+
+ extra[length] = 0;
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
"%s: Received length %d", __func__, length);
@@ -4593,8 +4598,8 @@
ret = -EINVAL;
}
+ break;
}
- break;
case WE_SET_TX_RATE:
{
status = wlan_ftm_priv_set_txrate(pAdapter,extra);
@@ -4608,7 +4613,7 @@
}
break;
- }
+ }
default:
{
hddLog(LOGE, "%s: Invalid sub command %d",__func__, sub_cmd);