summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>2022-12-29 07:53:47 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2022-12-29 07:53:47 +0000
commit39a786de6e1c446507160abce22b04f8012e6f08 (patch)
tree4a9e3b108464ba215bcd2cac801b250c4fb5ee91
parent72b872097da907a1c30debf5c2770ad035d59889 (diff)
parent17a101dc4db673a6ae2963670c449395343d9d41 (diff)
downloadwlan-39a786de6e1c446507160abce22b04f8012e6f08.tar.gz
Fix OOB write possible when len equals sizeof array am: 15500502b7 am: 17a101dc4d
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/20770980 Change-Id: If9f823aafd5409d2809b87ad8db9e571d44474f7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat
-rwxr-xr-xbcmdhd/wifi_hal/nan.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp
index bfc33e0..b25a41e 100755
--- a/bcmdhd/wifi_hal/nan.cpp
+++ b/bcmdhd/wifi_hal/nan.cpp
@@ -1386,6 +1386,8 @@ class NanDiscEnginePrimitive : public WifiCommand
}
if (mParams->service_specific_info_len > 0) {
+ u16 len = min(mParams->service_specific_info_len,
+ sizeof(mParams->service_specific_info) - 1);
result = request.put_u16(NAN_ATTRIBUTE_SERVICE_SPECIFIC_INFO_LEN,
mParams->service_specific_info_len);
if (result < 0) {
@@ -1400,7 +1402,7 @@ class NanDiscEnginePrimitive : public WifiCommand
ALOGE("%s: Failed to put svc info, result = %d", __func__, result);
return result;
}
- mParams->service_specific_info[mParams->service_specific_info_len] = '\0';
+ mParams->service_specific_info[len] = '\0';
ALOGI("Transmit service info string is %s\n", mParams->service_specific_info);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-05 13:28:40 +0000