Security Vulnerability in Android One mt_wifi IOCTL_GET_STRUCT EOP

check the data length copy form userspace

Bug num:26267358

Change-Id: I5b4b12c67b195ecb47585d427423d4f876167da5
signea-off-by: eddie chen <eddie.chen@mediatek.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c
index 1bcfc93ee951..ab29a68c1cf7 100644
--- a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c
+++ b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_wext_priv.c
@@ -1641,6 +1641,7 @@ priv_get_struct(IN struct net_device *prNetDev,
 	UINT_32 u4BufLen = 0;
 	PUINT_32 pu4IntBuf = NULL;
 	int status = 0;
+	UINT_32 u4CopyDataMax = 0;
 
 	kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf));
 
@@ -1701,9 +1702,11 @@ priv_get_struct(IN struct net_device *prNetDev,
 		pu4IntBuf = (PUINT_32) prIwReqData->data.pointer;
 		prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
 
-		if (copy_from_user(&prNdisReq->ndisOidContent[0],
-					prIwReqData->data.pointer,
-					prIwReqData->data.length)) {
+		u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent);
+		if ((prIwReqData->data.length>u4CopyDataMax)
+			|| copy_from_user(&prNdisReq->ndisOidContent[0],
+								prIwReqData->data.pointer,
+								prIwReqData->data.length)) {
 			DBGLOG(REQ, INFO, "priv_get_struct() copy_from_user oidBuf fail\n");
 			return -EFAULT;
 		}