wlan:Fix buffer overwrite problem in GETROAMSCANCHANNELMINTIME If (len + 1) is greater than priv_data.total_len then copy_to_user results in writing more data than the buffer can hold. Fix this by writing mininum of (len + 1) and priv_data.total_len. Change-Id: Ic7a76773875ed60d1c37498e25d3ee3f5650fcb8 CRs-Fixed: 865561

commit: bb8c52c4b3d796ce1f556502a0520bc5c1ef74c5 [log] [tgz]
author: Sushant Kaushik <skaushik@qti.qualcomm.com> Wed Jul 15 16:36:23 2015 +0530
committer: Satyanarayana Dash <sadash@codeaurora.org> Wed Jul 15 19:52:48 2015 +0530
tree: 5bc1e6ed85b0e62214cb9b601fe5d18a7d1c3371
parent: 231a445351479e381baac36f46fd1cf1eae9a9a8 [diff] [blame]
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index a6fa05b..bc8aaeb 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c

@@ -3085,7 +3085,8 @@
            MTRACE(vos_trace(VOS_MODULE_ID_HDD,
                             TRACE_CODE_HDD_GETROAMSCANCHANNELMINTIME_IOCTL,
                             pAdapter->sessionId, val));
-           if (copy_to_user(priv_data.buf, &extra, len + 1))
+           len = VOS_MIN(priv_data.total_len, len + 1);
+           if (copy_to_user(priv_data.buf, &extra, len))
            {
                VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
                   "%s: failed to copy data to user buffer", __func__);
commit	bb8c52c4b3d796ce1f556502a0520bc5c1ef74c5	[log] [tgz]
author	Sushant Kaushik <skaushik@qti.qualcomm.com>	Wed Jul 15 16:36:23 2015 +0530
committer	Satyanarayana Dash <sadash@codeaurora.org>	Wed Jul 15 19:52:48 2015 +0530
tree	5bc1e6ed85b0e62214cb9b601fe5d18a7d1c3371
parent	231a445351479e381baac36f46fd1cf1eae9a9a8 [diff] [blame]