From ed4fff76be6333a98a6736bc2550fffb7d5e8053 Mon Sep 17 00:00:00 2001 From: "yang-cy.chen" Date: Thu, 14 Jan 2016 10:57:45 +0800 Subject: Fix "[Security Vulnerability]mt_wifi IOCTL_GET_STRUCT EOP" issue Problem: prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short ,so the copy_from_user results in memory corruption. Solution: Add boundary protection to prevent buffer overflow Bug num:26267358 Change-Id: I70f9d2affb9058e2e80b6b9f8278d538186283d3 Signed-off-by: yang-cy.chen (cherry picked from commit 9c112c7344a2642a6e7ee29ee920900248a29e8a) --- .../conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c index 26419efe4..7b290b931 100644 --- a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c +++ b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c @@ -2037,6 +2037,7 @@ priv_get_struct ( UINT_32 u4BufLen = 0; PUINT_32 pu4IntBuf = NULL; int status = 0; + UINT_32 u4CopyDataMax = 0; kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf)); @@ -2107,9 +2108,11 @@ priv_get_struct ( pu4IntBuf = (PUINT_32)prIwReqData->data.pointer; prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0]; - if (copy_from_user(&prNdisReq->ndisOidContent[0], - prIwReqData->data.pointer, - prIwReqData->data.length)) { + u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent); + if ((prIwReqData->data.length>u4CopyDataMax) + || copy_from_user(&prNdisReq->ndisOidContent[0], + prIwReqData->data.pointer, + prIwReqData->data.length)) { DBGLOG(REQ, INFO, ("priv_get_struct() copy_from_user oidBuf fail\n")); return -EFAULT; } -- cgit v1.2.3