bcm_wifihal: Ensure data integrity for full_scan_results event
Ashwin [Tue, 15 Mar 2016 20:54:16 +0000 (13:54 -0700)]
Ensure that here is no out of bounds read when handling the full
scan results event if corrupted event data is received.

Bug:27653669

Change-Id: I2e72fa3476e4a9db3c46ac1b732dea5c0444216f
Signed-off-by: Ashwin <ashwin.bhat@broadcom.com>

bcmdhd/wifi_hal/gscan.cpp

index 12ad314..1dc5ec5 100644 (file)
@@ -753,6 +753,11 @@ int wifi_handle_full_scan_event(
     wifi_scan_result *full_scan_result;
     wifi_gscan_result_t *fixed = &drv_res->fixed;
 
+    if ((ie_len + offsetof(wifi_gscan_full_result_t, ie_data)) > len) {
+        ALOGE("BAD event data, len %d ie_len %d fixed length %d!\n", len,
+            ie_len, offsetof(wifi_gscan_full_result_t, ie_data));
+        return NL_SKIP;
+    }
     full_scan_result = (wifi_scan_result *) malloc((ie_len + offsetof(wifi_scan_result, ie_data)));
     if (!full_scan_result) {
         ALOGE("Full scan results: Can't malloc!\n");