net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref
Insun Song [Wed, 1 Feb 2017 00:18:40 +0000 (16:18 -0800)]
added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
Bug: 34469904
Reviewed-on: http://git-master/r/1459055
(cherry picked from commit 7bbbb5e7c7007959ce2704883aff37fc470a95c1)
Reviewed-on: http://git-master/r/1463483
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

drivers/net/wireless/bcmdhd/wl_android.c

index 9c06e68..25b5da9 100755 (executable)
@@ -1521,8 +1521,8 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
        uint8 buf[MAX_BUF_SIZE];
        uint8 *pref = buf;
        char *pcmd;
-       int num_ucipher_suites = 0;
-       int num_akm_suites = 0;
+       uint num_ucipher_suites;
+       uint num_akm_suites;
        wpa_suite_t ucipher_suites[MAX_NUM_SUITES];
        wpa_suite_t akm_suites[MAX_NUM_SUITES];
        int num_tuples = 0;
@@ -1535,6 +1535,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
        total_len_left = total_len - strlen(CMD_SET_ROAMPREF) + 1;
 
        num_akm_suites = simple_strtoul(pcmd, NULL, 16);
+       if (num_akm_suites > MAX_NUM_SUITES) {
+               WL_ERR(("wrong num_akm_suites:%d.\n", num_akm_suites));
+               return BCME_ERROR;
+       }
        /* Increment for number of AKM suites field + space */
        pcmd += 3;
        total_len_left -= 3;
@@ -1560,6 +1564,10 @@ wl_android_set_roampref(struct net_device *dev, char *command, int total_len)
 
        total_len_left -= (num_akm_suites * WIDTH_AKM_SUITE);
        num_ucipher_suites = simple_strtoul(pcmd, NULL, 16);
+       if (num_ucipher_suites > MAX_NUM_SUITES) {
+               WL_ERR(("wrong num_ucipher_suites:%d.\n", num_ucipher_suites));
+               return BCME_ERROR;
+       }
        /* Increment for number of cipher suites field + space */
        pcmd += 3;
        total_len_left -= 3;