qcacld-2.0: Fix buffer overrun in function ProcSetReqInternal

In function ProcSetReqInternal, valueLen is obtained from the message buffer pParam. This valueLen is used as argument to the function GetStrValue where the contents of the buffer pParam is copied to pMac->cfg.gSBuffer for valueLen number of bytes. However the array pMac->cfg.gSBuffer is a static array of size CFG_MAX_STR_LEN. If the value of valueLen exceeds CFG_MAX_STR_LEN, a buffer overwrite will occur in GetStrValue. Add Sanity check to make sure valueLen does not exceed CFG_MAX_STR_LEN. Change-Id: Id16d4c4b8d2414c00a0fae8f8292f011d0763b84 CRs-Fixed: 2143847
2024-11-06 23:17:41 +00:00 · 2017-11-20 23:34:12 +05:30 · 2017-11-20 23:34:12 +05:30 · 82533270de
commit 82533270de
parent 448463a947
1 changed files with 2 additions and 1 deletions
--- a/drivers/staging/prima/CORE/MAC/src/cfg/cfgProcMsg.c
+++ b/drivers/staging/prima/CORE/MAC/src/cfg/cfgProcMsg.c
@ -545,7 +545,8 @@ ProcSetReqInternal(tpAniSirGlobal pMac, tANI_U16 length, tANI_U32 *pParam, tANI_
                // Process string parameter
                else
                {
-                    if (valueLenRoundedUp4 > length)
+                    if ((valueLenRoundedUp4 > length) ||
+                        (valueLen > CFG_MAX_STR_LEN))
                    {
                        PELOGE(cfgLog(pMac, LOGE, FL("Invalid string length %d in set param %d (tot %d)"),
                               valueLen, cfgId, length);)