Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1be3e65b authored by Wilson Yang's avatar Wilson Yang Committed by Madan Mohan Koyyalamudi
Browse files

DroidSec: Check sscanf returns in function iw_set_priv 

In the two clauses "powermode" and "CONFIG-TX-TRACKING",
it should be confirmed that cmd_len is greater than amount
incrementing cmd when form ptr,and must check return from
sscanf to confirm that parameters were parsed correctly
before subsequent use.

Change-Id: I9e93c3f34b116f6fac1bd81f32956fb88cba807a
CRs-fixed: 554538
parent 0c69aee1

CORE/HDD/src/wlan_hdd_wext.c

+39 −5
Original line number Diff line number Diff line
@@ -2926,9 +2926,25 @@ static int iw_set_priv(struct net_device *dev, 
    }

    else if( strncasecmp(cmd, "powermode", 9) == 0 ) {

        int mode;

        char *ptr = (char*)(cmd + 9);

        char *ptr;



        if (9 < cmd_len)

        {

            ptr = (char*)(cmd + 9);



        }else{

              VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,

                        "CMD LENGTH %d is not correct",cmd_len);

              return VOS_STATUS_E_FAILURE;

        }



        if (1 != sscanf(ptr,"%d",&mode))

        {

            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,

                      "powermode input %s is not correct",ptr);

            return VOS_STATUS_E_FAILURE;

        }



        sscanf(ptr,"%d",&mode);

        wlan_hdd_enter_bmps(pAdapter, mode);

        /*TODO:Set the power mode*/

    }
@@ -3010,9 +3026,27 @@ static int iw_set_priv(struct net_device *dev, 
    }

    else if( 0 == strncasecmp(cmd, "CONFIG-TX-TRACKING", 18) ) {

        tSirTxPerTrackingParam tTxPerTrackingParam;

        char *ptr = (char*)(cmd + 18);

        sscanf(ptr,"%hhu %hhu %hhu %lu",&(tTxPerTrackingParam.ucTxPerTrackingEnable), &(tTxPerTrackingParam.ucTxPerTrackingPeriod),

               &(tTxPerTrackingParam.ucTxPerTrackingRatio), &(tTxPerTrackingParam.uTxPerTrackingWatermark));

        char *ptr;



        if (18 < cmd_len)

        {

           ptr = (char*)(cmd + 18);

        }else{

               VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,

                         "CMD LENGTH %d is not correct",cmd_len);

               return VOS_STATUS_E_FAILURE;

        }



        if (4 != sscanf(ptr,"%hhu %hhu %hhu %lu",

                        &(tTxPerTrackingParam.ucTxPerTrackingEnable),

                        &(tTxPerTrackingParam.ucTxPerTrackingPeriod),

                        &(tTxPerTrackingParam.ucTxPerTrackingRatio),

                        &(tTxPerTrackingParam.uTxPerTrackingWatermark)))

        {

            VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,

                      "CONFIG-TX-TRACKING %s input is not correct",ptr);

                      return VOS_STATUS_E_FAILURE;

        }



        // parameters checking

        // period has to be larger than 0