diff options
author | Insun Song <insun.song@broadcom.com> | 2018-07-12 18:00:28 -0700 |
---|---|---|
committer | Ecco Park <eccopark@google.com> | 2018-08-24 14:41:01 -0700 |
commit | f3e8b81ef9c1725824b3577a93863a644883b315 (patch) | |
tree | c05ec44c42fbe3de3eea082ad877478ecd224fc0 | |
parent | a10bcf87286701d69cde0e8d76170f74978c9fed (diff) | |
download | android_hardware_broadcom_wlan-f3e8b81ef9c1725824b3577a93863a644883b315.tar.gz android_hardware_broadcom_wlan-f3e8b81ef9c1725824b3577a93863a644883b315.tar.bz2 android_hardware_broadcom_wlan-f3e8b81ef9c1725824b3577a93863a644883b315.zip |
net: wireless: bcmdhd: add string buffer bound check in wifi_set_epno_list
When attack control user input SSID buffer,
it would not be NULL terminated and eventually hit OOB read.
Bug: 111830385
Change-Id: I13513acf3fc84c8da3184b43022ac8ed7984596d
Signed-off-by: Insun Song <insun.song@broadcom.com>
-rw-r--r-- | bcmdhd/wifi_hal/gscan.cpp | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/bcmdhd/wifi_hal/gscan.cpp b/bcmdhd/wifi_hal/gscan.cpp index d3dc0e7..1b9af17 100644 --- a/bcmdhd/wifi_hal/gscan.cpp +++ b/bcmdhd/wifi_hal/gscan.cpp @@ -1180,6 +1180,7 @@ public: } } int createSetupRequest(WifiRequest& request) { + char tmp_buf[DOT11_MAX_SSID_LEN + 1]; if (epno_params.num_networks > MAX_EPNO_NETWORKS) { ALOGE("wrong epno num_networks:%d", epno_params.num_networks); return WIFI_ERROR_INVALID_ARGS; @@ -1241,14 +1242,17 @@ public: if (attr2 == NULL) { return WIFI_ERROR_OUT_OF_MEMORY; } - result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, ssid_list[i].ssid, DOT11_MAX_SSID_LEN); - ALOGI("PNO network: SSID %s flags %x auth %x", ssid_list[i].ssid, + strlcpy(tmp_buf, ssid_list[i].ssid, sizeof(tmp_buf)); + result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, tmp_buf, + strlen(tmp_buf)); + ALOGI("PNO network: SSID %s flags %x auth %x", tmp_buf, ssid_list[i].flags, ssid_list[i].auth_bit_field); if (result < 0) { return result; } - result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN, strlen(ssid_list[i].ssid)); + result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN, + strlen(tmp_buf)); if (result < 0) { return result; } |