wlan: avoid buffer overflow in hdd_parse_channellist()
Static source code analysis identified multiple buffer overflow issues
in hdd_parse_channellist(). Some, but not all, were addressed in a
recent change. Address the other outstanding buffer overflow issues.
Change-Id: I25d073a3e32f557ae3217fe9348dad9a04d79331
CRs-fixed: 470188
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index eb3c584..83a1794 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -1523,7 +1523,7 @@
}
/*removing empty spaces*/
- while ((SPACE_ASCII_VALUE == *inPtr)&& ('\0' != *inPtr) ) inPtr++;
+ while ((SPACE_ASCII_VALUE == *inPtr) && ('\0' != *inPtr)) inPtr++;
/*no argument followed by spaces*/
if ('\0' == *inPtr)
@@ -1534,7 +1534,12 @@
/*getting the first argument ie the number of channels*/
sscanf(inPtr, "%32s ", buf);
v = kstrtos32(buf, 10, &tempInt);
- if ((v < 0) || (tempInt <= 0)) return -EINVAL;
+ if ((v < 0) ||
+ (tempInt <= 0) ||
+ (tempInt > WNI_CFG_VALID_CHANNEL_LIST_LEN))
+ {
+ return -EINVAL;
+ }
*pNumChannels = tempInt;
@@ -1560,7 +1565,7 @@
}
/*removing empty space*/
- while ((SPACE_ASCII_VALUE == *inPtr) && ('\0' != *inPtr) ) inPtr++;
+ while ((SPACE_ASCII_VALUE == *inPtr) && ('\0' != *inPtr)) inPtr++;
/*no channel list after the number of channels argument and spaces*/
if ( '\0' == *inPtr )
@@ -1576,9 +1581,14 @@
}
}
- sscanf(inPtr, "%s ", buf);
+ sscanf(inPtr, "%32s ", buf);
v = kstrtos32(buf, 10, &tempInt);
- if ((v < 0) || (tempInt <= 0)) return -EINVAL;
+ if ((v < 0) ||
+ (tempInt <= 0) ||
+ (tempInt > WNI_CFG_CURRENT_CHANNEL_STAMAX))
+ {
+ return -EINVAL;
+ }
pChannelList[j] = tempInt;
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH,