Fix "[Security Vulnerability]mt_wifi IOCTL_GET_STRUCT EOP" issue

Problem:
prNdisReq->ndisOidContent is in a static allocation of size 0x1000,
and prIwReqData->data.length is a usermode controlled unsigned short
,so the copy_from_user results in memory corruption.

Solution:
Add boundary protection to prevent buffer overflow

Bug num:26267358

Change-Id: I70f9d2affb9058e2e80b6b9f8278d538186283d3
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit 9c112c7344a2642a6e7ee29ee920900248a29e8a)

1 files changed, 6 insertions, 3 deletions

diff --git a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
index 26419efe4..7b290b931 100644
--- a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
+++ b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
@@ -2037,6 +2037,7 @@ priv_get_struct (
     UINT_32         u4BufLen = 0;
     PUINT_32        pu4IntBuf = NULL;
     int             status = 0;
+    UINT_32         u4CopyDataMax = 0;
 
     kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf));
 
@@ -2107,9 +2108,11 @@ priv_get_struct (
         pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
         prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
 
-        if (copy_from_user(&prNdisReq->ndisOidContent[0],
-                prIwReqData->data.pointer,
-                prIwReqData->data.length)) {
+        u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent);
+        if ((prIwReqData->data.length>u4CopyDataMax)
+	    || copy_from_user(&prNdisReq->ndisOidContent[0],
+            prIwReqData->data.pointer,
+            prIwReqData->data.length)) {
             DBGLOG(REQ, INFO, ("priv_get_struct() copy_from_user oidBuf fail\n"));
             return -EFAULT;
         }