wlan: fix possible OOB read in SIOCSIWRATE WEXT ioctl handler
The values used to dictate the end of the for loop is great than the
size of array supp_rates, this will cause an OOB read when loop
through supp_rates. So need modify the size of array supp_rates.
There's also a functional issue in that the second call to
sme_cfg_get_str() overwrites the lower values of the first call,
thus not ever allowing the lower channel rates of A to ever be
valid. So need update the read buffer address for the second
sme_cfg_get_str().
CRs-Fixed: 2247498
Change-Id: I27091a9f48d1eb4d6806ebcfd2310fe848af408f
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 5fef7c7..41ba21f 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -2104,7 +2104,8 @@
hdd_wext_state_t *pWextState;
hdd_station_ctx_t *pHddStaCtx;
hdd_context_t *pHddCtx;
- v_U8_t supp_rates[WNI_CFG_SUPPORTED_RATES_11A_LEN];
+ v_U8_t supp_rates[WNI_CFG_SUPPORTED_RATES_11A_LEN +
+ WNI_CFG_SUPPORTED_RATES_11B_LEN];
v_U32_t a_len = WNI_CFG_SUPPORTED_RATES_11A_LEN;
v_U32_t b_len = WNI_CFG_SUPPORTED_RATES_11B_LEN;
v_U32_t i, rate;
@@ -2167,7 +2168,7 @@
supp_rates, &a_len) == eHAL_STATUS_SUCCESS) &&
(ccmCfgGetStr(WLAN_HDD_GET_HAL_CTX(pAdapter),
WNI_CFG_SUPPORTED_RATES_11B,
- supp_rates, &b_len) == eHAL_STATUS_SUCCESS))
+ supp_rates + a_len, &b_len) == eHAL_STATUS_SUCCESS))
{
for (i = 0; i < (b_len + a_len); ++i)
{