diff options
author | Eddie Chen <eddie.chen@mediatek.com> | 2016-06-22 11:34:12 +0800 |
---|---|---|
committer | Eddie Chen <eddie.chen@mediatek.com> | 2016-06-28 14:41:05 +0800 |
commit | 1b4fde08c890ffc4b8ed4a43dc2899f94e6c2289 (patch) | |
tree | 5b1b7d1fe46bcaded7ded7303fab903e9b0cf66c | |
parent | dff58f0fa983d7bc610f3f6eabc34b484d4605bf (diff) | |
download | mediatek-1b4fde08c890ffc4b8ed4a43dc2899f94e6c2289.tar.gz |
Security Vulnerability in Android One mt_wifi IOCTL_GET_STRUCT EOP
check the data length copy form userspace
Bug num:26267358
Change-Id: I5b4b12c67b195ecb47585d427423d4f876167da5
signea-off-by: eddie chen <eddie.chen@mediatek.com>
-rw-r--r-- | drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c index 1bcfc93ee951..ab29a68c1cf7 100644 --- a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c +++ b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c @@ -1641,6 +1641,7 @@ priv_get_struct(IN struct net_device *prNetDev, UINT_32 u4BufLen = 0; PUINT_32 pu4IntBuf = NULL; int status = 0; + UINT_32 u4CopyDataMax = 0; kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf)); @@ -1701,9 +1702,11 @@ priv_get_struct(IN struct net_device *prNetDev, pu4IntBuf = (PUINT_32) prIwReqData->data.pointer; prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0]; - if (copy_from_user(&prNdisReq->ndisOidContent[0], - prIwReqData->data.pointer, - prIwReqData->data.length)) { + u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent); + if ((prIwReqData->data.length>u4CopyDataMax) + || copy_from_user(&prNdisReq->ndisOidContent[0], + prIwReqData->data.pointer, + prIwReqData->data.length)) { DBGLOG(REQ, INFO, "priv_get_struct() copy_from_user oidBuf fail\n"); return -EFAULT; } |