net: wireless: bcmdhd: Heap overflow in wl_run_escan
authorSudhir Kohalli <sudhir.kohalli@broadcom.com>
Wed, 10 May 2017 17:15:45 +0000 (10:15 -0700)
committerManish Tuteja <mtuteja@nvidia.com>
Fri, 12 May 2017 23:10:17 +0000 (16:10 -0700)
commit06fb341c4675b2d3176b319c53ef97492174f26c
tree22fa5554811157b310fb5972d1b157ffa3856a27
parentf3e9994f9d2a12dea5a65df10a268dda5351c5a8
net: wireless: bcmdhd: Heap overflow in wl_run_escan

1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.

Bug: 34197514
Bug: 34199963
Bug: 34198729

Bug 1887273

Change-Id: Ic583c12b00523186718bc891fc3d9505a07738b6
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-on: http://git-master/r/1480396
Reviewed-by: Neil Patel <neilp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
drivers/net/wireless/bcmdhd/wl_cfg80211.c