diff options
author | Deepthi Gowri <deepthi@codeaurora.org> | 2013-03-06 14:13:02 +0530 |
---|---|---|
committer | Hardik Kantilal Patel <hkpatel@codeaurora.org> | 2013-07-30 22:44:05 +0530 |
commit | e5264719db35dc81ca0183f5f7dcd5977a599408 (patch) | |
tree | 64709b5d7b8d4b4425af9abf4a6f61b117931a7f | |
parent | 8bff0c0323c62c34621a818dc1e2f863589aab00 (diff) | |
download | android_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.tar.gz android_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.tar.bz2 android_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.zip |
wlan: Make allocation dynamic instead of static array
Fix buffer overun issue due to static array allocation.
Dynamic allocation is done according to IE length's to
resolve this issue.
Change-Id: I85d6cbb25c98786662874f22eee574e611e57c46
CRs-fixed: 457100
-rw-r--r-- | qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c | 39 |
1 files changed, 23 insertions, 16 deletions
diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c index 8a1b70d..cfba814 100644 --- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c +++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c @@ -17,8 +17,6 @@ #include "android_drv.h" #endif -#define MAX_WPSP2PIE_CMD_SIZE 512 - typedef struct android_wifi_priv_cmd { char *buf; int used_len; @@ -91,7 +89,7 @@ int wpa_driver_nl80211_driver_cmd(void *priv, char *cmd, char *buf, else if (os_strcasecmp(cmd, "P2P_SET_NOA") == 0) wpa_printf(MSG_DEBUG, "%s: P2P: %s ", __func__, buf); else - wpa_printf(MSG_DEBUG, "%s %s len = %d, %d", __func__, buf, ret, strlen(buf)); + wpa_printf(MSG_DEBUG, "%s %s len = %d, %d", __func__, buf, ret, buf_len); } } return ret; @@ -127,12 +125,12 @@ int wpa_driver_set_ap_wps_p2p_ie(void *priv, const struct wpabuf *beacon, const struct wpabuf *proberesp, const struct wpabuf *assocresp) { - char buf[MAX_WPSP2PIE_CMD_SIZE]; - struct wpabuf *ap_wps_p2p_ie = NULL; + char *buf; + const struct wpabuf *ap_wps_p2p_ie = NULL; char *_cmd = "SET_AP_WPS_P2P_IE"; char *pbuf; int ret = 0; - int i; + int i, buf_len; struct cmd_desc { int cmd; const struct wpabuf *src; @@ -145,20 +143,29 @@ int wpa_driver_set_ap_wps_p2p_ie(void *priv, const struct wpabuf *beacon, wpa_printf(MSG_DEBUG, "%s: Entry", __func__); for (i = 0; cmd_arr[i].cmd != -1; i++) { - os_memset(buf, 0, sizeof(buf)); - pbuf = buf; - pbuf += sprintf(pbuf, "%s %d", _cmd, cmd_arr[i].cmd); - *pbuf++ = '\0'; ap_wps_p2p_ie = cmd_arr[i].src ? - wpabuf_dup(cmd_arr[i].src) : NULL; + cmd_arr[i].src : NULL; if (ap_wps_p2p_ie) { - os_memcpy(pbuf, wpabuf_head(ap_wps_p2p_ie), wpabuf_len(ap_wps_p2p_ie)); - ret = wpa_driver_nl80211_driver_cmd(priv, buf, buf, - strlen(_cmd) + 3 + wpabuf_len(ap_wps_p2p_ie)); - wpabuf_free(ap_wps_p2p_ie); - if (ret < 0) + buf_len = strlen(_cmd) + 3 + wpabuf_len(ap_wps_p2p_ie); + buf = os_zalloc(buf_len); + if (NULL == buf) { + wpa_printf(MSG_DEBUG,"%s: Out of space for buf", + __func__); + ret = -1; break; + } + } else { + continue; } + pbuf = buf; + pbuf += snprintf(pbuf, buf_len - wpabuf_len(ap_wps_p2p_ie), "%s %d", + _cmd, cmd_arr[i].cmd); + *pbuf++ = '\0'; + os_memcpy(pbuf, wpabuf_head(ap_wps_p2p_ie), wpabuf_len(ap_wps_p2p_ie)); + ret = wpa_driver_nl80211_driver_cmd(priv, buf, buf, buf_len); + os_free(buf); + if (ret < 0) + break; } return ret; |