Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 70f73667 authored by Sourav Mohapatra's avatar Sourav Mohapatra Committed by Gerrit - the friendly Code Review server
Browse files

wlan: Add sanity check for data in ptt_sock_rx_nlink_msg 

Currently in the driver, while typecasting the skb data to local
structure in function ptt_sock_proc_reg_req, there can occur a potential
OOB read. The length of the data to be typecasted is not verified
properly.

Add a sanity check to verify that the data being typecasted is of proper
size.

Change-Id: Ib88477a2817649e092e25e21f948c33160dfa09b
CRs-Fixed: 2559499
parent d47ccd4c

CORE/SVC/src/ptt/wlan_ptt_sock_svc.c

+5 −0
Original line number Diff line number Diff line
@@ -297,6 +297,11 @@ static int ptt_sock_rx_nlink_msg (struct sk_buff * skb) 
   wnl = (tAniNlHdr *) skb->data;

   radio = wnl->radio;

   type = wnl->nlh.nlmsg_type;



   if (wnl->nlh.nlmsg_len < (sizeof(struct nlmsghdr) +

       sizeof(int) + sizeof(tAniHdr) + wnl->wmsg.length))

	   return -EINVAL;



   switch (type) {

      case ANI_NL_MSG_PUMAC:  //Message from the PTT socket APP

         PTT_TRACE(VOS_TRACE_LEVEL_INFO, "%s: Received ANI_NL_MSG_PUMAC Msg [0x%X]\n",