commit aa9e38c5931ce85fd05476cd4195d312a38a2a2d
author Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> Wed May 23 20:23:24 2018 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Mon Jun 11 22:27:00 2018 -0700
tree 14d097dacbcc453fa9a55cbacf3ef3e60c3c0677
parent 8445854326b5f26354c0cd9c19941219c004624c

wlan: fix possible OOB read in SIOCSIWRATE WEXT ioctl handler

The values used to dictate the end of the for loop is great than the
size of array supp_rates, this will cause an OOB read when loop
through supp_rates. So need modify the size of array supp_rates.
There's also a functional issue in that the second call to
sme_cfg_get_str() overwrites the lower values of the first call,
thus not ever allowing the lower channel rates of A to ever be
valid. So need update the read buffer address for the second
sme_cfg_get_str().

CRs-Fixed: 2247498
Change-Id: I27091a9f48d1eb4d6806ebcfd2310fe848af408f

CORE/HDD/src/wlan_hdd_wext.c

diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 5fef7c7..41ba21f 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -2104,7 +2104,8 @@
     hdd_wext_state_t *pWextState;
     hdd_station_ctx_t *pHddStaCtx;
     hdd_context_t *pHddCtx;
-    v_U8_t supp_rates[WNI_CFG_SUPPORTED_RATES_11A_LEN];
+    v_U8_t supp_rates[WNI_CFG_SUPPORTED_RATES_11A_LEN +
+                      WNI_CFG_SUPPORTED_RATES_11B_LEN];
     v_U32_t a_len = WNI_CFG_SUPPORTED_RATES_11A_LEN;
     v_U32_t b_len = WNI_CFG_SUPPORTED_RATES_11B_LEN;
     v_U32_t i, rate;
@@ -2167,7 +2168,7 @@
                         supp_rates, &a_len) == eHAL_STATUS_SUCCESS) &&
                 (ccmCfgGetStr(WLAN_HDD_GET_HAL_CTX(pAdapter),
                         WNI_CFG_SUPPORTED_RATES_11B,
-                        supp_rates, &b_len) == eHAL_STATUS_SUCCESS))
+                        supp_rates + a_len, &b_len) == eHAL_STATUS_SUCCESS))
             {
                 for (i = 0; i < (b_len + a_len); ++i)
                 {