wlan: Fix out of bound access in ptt_sock_send_msg_to_app
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
===========================================================
BUG: KASAN: stack-out-of-bounds in memcpy+0x28/0x54
at addr ffffffc0555f3764
Read of size 36 by task cnss_diag/561
===========================================================
page:ffffffba492b1710 count:0 mapcount:0 mapping:(null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 5 PID: 561 Comm: cnss_diag Tainted: P B
-----------------------------------------------------------
[<ffffffc00008c55c>] dump_backtrace+0x0/0x284
[<ffffffc00008c7f0>] show_stack+0x10/0x1c
[<ffffffc001e4efd4>] dump_stack+0x74/0xfc
[<ffffffc0002f6d84>] kasan_report+0x3b4/0x504
[<ffffffc0002f5fe4>] __asan_loadN+0x20/0x14c
[<ffffffc0002f64e8>] memcpy+0x24/0x54
[<ffffffbffc382920>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc2f1fb0>] ptt_sock_send_msg_to_app+0x224/0x2d0 [wlan]
[<ffffffbffc2f21bc>] ptt_sock_proc_reg_req+0x160/0x1f4 [wlan]
[<ffffffbffc2f2484>] ptt_sock_rx_nlink_msg+0x234/0x90c [wlan]
[<ffffffbffc2f140c>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc0019dfb14>] netlink_unicast+0x3b0/0x4c0
[<ffffffc0019e0750>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc0019226c4>] sock_sendmsg+0x1d4/0x22c
[<ffffffc0019272e4>] SyS_sendto+0x194/0x224
Memory state around the buggy address:
ffffffc0555f3600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0555f3680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0555f3700: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 04 f4
^
ffffffc0555f3780: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
ffffffc0555f3800: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f3 f3 f3 f3
==================================================================
Memory corruption is observed during memcpy as the incorrect
size is passed to memcpy.
To address this, pass the correct size.
CRs-Fixed: 956187
Change-Id: I682de25908c7ab1abbdc3c08abf788e66a5c98df
1 file changed