summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDeepthi Gowri <deepthi@codeaurora.org>2013-03-06 14:13:02 +0530
committerHardik Kantilal Patel <hkpatel@codeaurora.org>2013-07-30 22:44:05 +0530
commite5264719db35dc81ca0183f5f7dcd5977a599408 (patch)
tree64709b5d7b8d4b4425af9abf4a6f61b117931a7f
parent8bff0c0323c62c34621a818dc1e2f863589aab00 (diff)
downloadandroid_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.tar.gz
android_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.tar.bz2
android_hardware_qcom_wlan-e5264719db35dc81ca0183f5f7dcd5977a599408.zip
wlan: Make allocation dynamic instead of static array
Fix buffer overun issue due to static array allocation. Dynamic allocation is done according to IE length's to resolve this issue. Change-Id: I85d6cbb25c98786662874f22eee574e611e57c46 CRs-fixed: 457100
Diffstat
-rw-r--r--qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c39
1 files changed, 23 insertions, 16 deletions
diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
index 8a1b70d..cfba814 100644
--- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
+++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
@@ -17,8 +17,6 @@
#include "android_drv.h"
#endif
-#define MAX_WPSP2PIE_CMD_SIZE 512
-
typedef struct android_wifi_priv_cmd {
char *buf;
int used_len;
@@ -91,7 +89,7 @@ int wpa_driver_nl80211_driver_cmd(void *priv, char *cmd, char *buf,
else if (os_strcasecmp(cmd, "P2P_SET_NOA") == 0)
wpa_printf(MSG_DEBUG, "%s: P2P: %s ", __func__, buf);
else
- wpa_printf(MSG_DEBUG, "%s %s len = %d, %d", __func__, buf, ret, strlen(buf));
+ wpa_printf(MSG_DEBUG, "%s %s len = %d, %d", __func__, buf, ret, buf_len);
}
}
return ret;
@@ -127,12 +125,12 @@ int wpa_driver_set_ap_wps_p2p_ie(void *priv, const struct wpabuf *beacon,
const struct wpabuf *proberesp,
const struct wpabuf *assocresp)
{
- char buf[MAX_WPSP2PIE_CMD_SIZE];
- struct wpabuf *ap_wps_p2p_ie = NULL;
+ char *buf;
+ const struct wpabuf *ap_wps_p2p_ie = NULL;
char *_cmd = "SET_AP_WPS_P2P_IE";
char *pbuf;
int ret = 0;
- int i;
+ int i, buf_len;
struct cmd_desc {
int cmd;
const struct wpabuf *src;
@@ -145,20 +143,29 @@ int wpa_driver_set_ap_wps_p2p_ie(void *priv, const struct wpabuf *beacon,
wpa_printf(MSG_DEBUG, "%s: Entry", __func__);
for (i = 0; cmd_arr[i].cmd != -1; i++) {
- os_memset(buf, 0, sizeof(buf));
- pbuf = buf;
- pbuf += sprintf(pbuf, "%s %d", _cmd, cmd_arr[i].cmd);
- *pbuf++ = '\0';
ap_wps_p2p_ie = cmd_arr[i].src ?
- wpabuf_dup(cmd_arr[i].src) : NULL;
+ cmd_arr[i].src : NULL;
if (ap_wps_p2p_ie) {
- os_memcpy(pbuf, wpabuf_head(ap_wps_p2p_ie), wpabuf_len(ap_wps_p2p_ie));
- ret = wpa_driver_nl80211_driver_cmd(priv, buf, buf,
- strlen(_cmd) + 3 + wpabuf_len(ap_wps_p2p_ie));
- wpabuf_free(ap_wps_p2p_ie);
- if (ret < 0)
+ buf_len = strlen(_cmd) + 3 + wpabuf_len(ap_wps_p2p_ie);
+ buf = os_zalloc(buf_len);
+ if (NULL == buf) {
+ wpa_printf(MSG_DEBUG,"%s: Out of space for buf",
+ __func__);
+ ret = -1;
break;
+ }
+ } else {
+ continue;
}
+ pbuf = buf;
+ pbuf += snprintf(pbuf, buf_len - wpabuf_len(ap_wps_p2p_ie), "%s %d",
+ _cmd, cmd_arr[i].cmd);
+ *pbuf++ = '\0';
+ os_memcpy(pbuf, wpabuf_head(ap_wps_p2p_ie), wpabuf_len(ap_wps_p2p_ie));
+ ret = wpa_driver_nl80211_driver_cmd(priv, buf, buf, buf_len);
+ os_free(buf);
+ if (ret < 0)
+ break;
}
return ret;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 13:42:24 +0000