wlan: Avoid buffer overflow. scnprintf returns the number of characters which are actually written in the buffer. Currently there is no check, while filling buffer. Hence a situation might arise where the len is greater than the sizeof of buffer. Latter on this buffer is copied to user space through api copy_to_user and since the len is greater than buffer size, buffer over-flow would occur. As a part of fix, make sure that buffer over doesn't occur. Change-Id: I652979cb26fd7fff36ee54f9ec60132453ac7913 CRs-Fixed: 908252

commit: a08ca196a6e834522ea2d087f5c9dc8c521e68ce [log] [tgz]
author: Sushant Kaushik <skaushik@qti.qualcomm.com> Wed Sep 16 15:52:04 2015 +0530
committer: Satyanarayana Dash <sadash@codeaurora.org> Wed Sep 16 18:25:18 2015 +0530
tree: 1a86a31aa3872d75be92b66f3ddd279277afd0a8
parent: e5ab23de6a55b3c97b466b4b002b9ac584b8bd22 [diff] [blame]
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index c150dae..05bf8f4 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c

@@ -2872,7 +2872,7 @@
            [Number of roam scan channels][Channel1][Channel2]... */
            /* copy the number of channels in the 0th index */
            len = scnprintf(extra, sizeof(extra), "%s %d", command, numChannels);
-           for (j = 0; (j < numChannels); j++)
+           for (j = 0; (j < numChannels) && len <= sizeof(extra); j++)
            {
                len += scnprintf(extra + len, sizeof(extra) - len, " %d",
                        ChannelList[j]);
commit	a08ca196a6e834522ea2d087f5c9dc8c521e68ce	[log] [tgz]
author	Sushant Kaushik <skaushik@qti.qualcomm.com>	Wed Sep 16 15:52:04 2015 +0530
committer	Satyanarayana Dash <sadash@codeaurora.org>	Wed Sep 16 18:25:18 2015 +0530
tree	1a86a31aa3872d75be92b66f3ddd279277afd0a8
parent	e5ab23de6a55b3c97b466b4b002b9ac584b8bd22 [diff] [blame]