From 31e4178cdccface35bfcd6cebc0f7c6c777ac4c9 Mon Sep 17 00:00:00 2001 From: Jerry Lee <jerrylee@broadcom.com> Date: Fri, 8 Jul 2016 15:40:24 -0700 Subject: [PATCH] net: wireless: bcmdhd: security vulnerability - protect array overflow in PNO Protect array overflow in parsing PNO batching cmd Bug: 29009982 Change-Id: I4e36f580336cacd6e3efcb8caf91eef33003753b Signed-off-by: Jerry Lee <jerrylee@broadcom.com> (cherry picked from commit 067086bca55d61a2c2721ca8f16be3a7db9c19fa) --- drivers/net/wireless/bcmdhd/wl_android.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/bcmdhd/wl_android.c b/drivers/net/wireless/bcmdhd/wl_android.c index 260277b4908d..0c9f1f47f180 100644 --- a/drivers/net/wireless/bcmdhd/wl_android.c +++ b/drivers/net/wireless/bcmdhd/wl_android.c @@ -365,8 +365,9 @@ wls_parse_batching_cmd(struct net_device *dev, char *command, int total_len) " <> params\n", __FUNCTION__)); goto exit; } - while ((token2 = strsep(&pos2, - PNO_PARAM_CHANNEL_DELIMETER)) != NULL) { + + while ((token2 = strsep(&pos2, PNO_PARAM_CHANNEL_DELIMETER)) + != NULL) { if (token2 == NULL || !*token2) break; if (*token2 == '\0') @@ -377,13 +378,20 @@ wls_parse_batching_cmd(struct net_device *dev, char *command, int total_len) DHD_PNO(("band : %s\n", (*token2 == 'A')? "A" : "B")); } else { + if ((batch_params.nchan >= WL_NUMCHANNELS) || + (i >= WL_NUMCHANNELS)) { + DHD_ERROR(("Too many nchan %d\n", + batch_params.nchan)); + err = BCME_BUFTOOSHORT; + goto exit; + } batch_params.chan_list[i++] = - simple_strtol(token2, NULL, 0); + simple_strtol(token2, NULL, 0); batch_params.nchan++; - DHD_PNO(("channel :%d\n", - batch_params.chan_list[i-1])); + DHD_PNO(("channel: %d\n", + batch_params.chan_list[i-1])); } - } + } } else if (!strncmp(param, PNO_PARAM_RTT, strlen(PNO_PARAM_RTT))) { batch_params.rtt = simple_strtol(value, NULL, 0); DHD_PNO(("rtt : %d\n", batch_params.rtt)); -- GitLab