Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / 4081bb1fd8f7de345eb2e5066b9eb1e003e77c39
commit4081bb1fd8f7de345eb2e5066b9eb1e003e77c39[log] [tgz]
authorSrinivas Girigowda <sgirigow@qca.qualcomm.com>Mon Jan 06 17:12:58 2014 -0800
committerAnjaneeDevi Kapparapu <c_akappa@qti.qualcomm.com>Wed Jan 08 09:14:15 2014 +0530
tree26aa326b09fefb205f171a283d9edba7c5a453f1
parentd46ea2afeec57007158867099c536ab2d52142ab [diff]
wlan: DroidSec string validation issues

1. the total_len is a user controlled parameter, an attacker
could pass total_len as a huge number and driver may result in
heap based overflow. Fix is to add MAX_LEN check and the value of
4096 is based on wpa_supplicant max data
2. while reading strings using sscanf buffers are allocated with
32 bytes and sscanf %32s could write 32 bytes and automatically
add a NUL termination. which could result in buffer overflow.
Fix is to read only 31 bytes and keep 1 byte for '\0'

CRs-Fixed: 594924
1 file changed
tree: 26aa326b09fefb205f171a283d9edba7c5a453f1
  1. CORE/
  2. firmware_bin/
  3. prima/
  4. riva/
  5. Android.mk
  6. Kbuild
  7. Kconfig