wlan:Fix buffer overwrite problem in GETROAMSCANCHANNELMINTIME
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ic7a76773875ed60d1c37498e25d3ee3f5650fcb8
CRs-Fixed: 865561
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index a6fa05b..bc8aaeb 100755
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -3085,7 +3085,8 @@
MTRACE(vos_trace(VOS_MODULE_ID_HDD,
TRACE_CODE_HDD_GETROAMSCANCHANNELMINTIME_IOCTL,
pAdapter->sessionId, val));
- if (copy_to_user(priv_data.buf, &extra, len + 1))
+ len = VOS_MIN(priv_data.total_len, len + 1);
+ if (copy_to_user(priv_data.buf, &extra, len))
{
VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: failed to copy data to user buffer", __func__);