From f3e8b81ef9c1725824b3577a93863a644883b315 Mon Sep 17 00:00:00 2001 From: Insun Song Date: Thu, 12 Jul 2018 18:00:28 -0700 Subject: net: wireless: bcmdhd: add string buffer bound check in wifi_set_epno_list When attack control user input SSID buffer, it would not be NULL terminated and eventually hit OOB read. Bug: 111830385 Change-Id: I13513acf3fc84c8da3184b43022ac8ed7984596d Signed-off-by: Insun Song --- bcmdhd/wifi_hal/gscan.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'bcmdhd') diff --git a/bcmdhd/wifi_hal/gscan.cpp b/bcmdhd/wifi_hal/gscan.cpp index d3dc0e7..1b9af17 100644 --- a/bcmdhd/wifi_hal/gscan.cpp +++ b/bcmdhd/wifi_hal/gscan.cpp @@ -1180,6 +1180,7 @@ public: } } int createSetupRequest(WifiRequest& request) { + char tmp_buf[DOT11_MAX_SSID_LEN + 1]; if (epno_params.num_networks > MAX_EPNO_NETWORKS) { ALOGE("wrong epno num_networks:%d", epno_params.num_networks); return WIFI_ERROR_INVALID_ARGS; @@ -1241,14 +1242,17 @@ public: if (attr2 == NULL) { return WIFI_ERROR_OUT_OF_MEMORY; } - result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, ssid_list[i].ssid, DOT11_MAX_SSID_LEN); - ALOGI("PNO network: SSID %s flags %x auth %x", ssid_list[i].ssid, + strlcpy(tmp_buf, ssid_list[i].ssid, sizeof(tmp_buf)); + result = request.put(GSCAN_ATTRIBUTE_EPNO_SSID, tmp_buf, + strlen(tmp_buf)); + ALOGI("PNO network: SSID %s flags %x auth %x", tmp_buf, ssid_list[i].flags, ssid_list[i].auth_bit_field); if (result < 0) { return result; } - result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN, strlen(ssid_list[i].ssid)); + result = request.put_u32(GSCAN_ATTRIBUTE_EPNO_SSID_LEN, + strlen(tmp_buf)); if (result < 0) { return result; } -- cgit v1.2.3