net: wireless: bcmdhd: add string buffer bound check in wifi_set_epno_list

When attack control user input SSID buffer,
it would not be NULL terminated and eventually hit OOB read.

Bug: 111830385

Change-Id: I13513acf3fc84c8da3184b43022ac8ed7984596d
Signed-off-by: Insun Song <insun.song@broadcom.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/bcmdhd/wifi_hal/gscan.cpp b/bcmdhd/wifi_hal/gscan.cpp
index d3dc0e7..1b9af17 100644
--- a/bcmdhd/wifi_hal/gscan.cpp
+++ b/bcmdhd/wifi_hal/gscan.cpp
@@ -1180,6 +1180,7 @@ public:
         }
     }
     int createSetupRequest(WifiRequest& request) {
+        char tmp_buf[DOT11_MAX_SSID_LEN + 1];
         if (epno_params.num_networks > MAX_EPNO_NETWORKS) {
             ALOGE("wrong epno num_networks:%d", epno_params.num_networks);
             return WIFI_ERROR_INVALID_ARGS;
@@ -1241,14 +1242,17 @@ public:
             if (attr2 == NULL) {
                 return WIFI_ERROR_OUT_OF_MEMORY;
             }
-            result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, ssid_list[i].ssid, DOT11_MAX_SSID_LEN);
-            ALOGI("PNO network: SSID %s flags %x auth %x", ssid_list[i].ssid,
+            strlcpy(tmp_buf, ssid_list[i].ssid, sizeof(tmp_buf));
+            result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, tmp_buf,
+                strlen(tmp_buf));
+            ALOGI("PNO network: SSID %s flags %x auth %x", tmp_buf,
                 ssid_list[i].flags,
                 ssid_list[i].auth_bit_field);
             if (result < 0) {
                 return result;
             }
-            result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN, strlen(ssid_list[i].ssid));
+            result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN,
+                strlen(tmp_buf));
             if (result < 0) {
                 return result;
             }