Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bba17b30 authored by Mohammed Javid's avatar Mohammed Javid
Browse files

msm: ipa: prevent string buffer overflows 



In WAN ioctls user-supplied data structures
contain string members,but there's no guarantee
they're null-terminated, add the string terminator
to prevent vulnerability of string buffer overflows.

Change-Id: I17c06c94aa619a2cd3a678c495a31541a65a7741
Acked-by: default avatarAshok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: default avatarMohammed Javid <mjavid@codeaurora.org>
parent cd538dbf

drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c

+14 −0
Original line number Diff line number Diff line
@@ -2693,6 +2693,9 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data) 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->interface_name[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->interface_name);
@@ -2982,6 +2985,10 @@ int rmnet_ipa_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';

	data->tetherIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3016,6 +3023,10 @@ int rmnet_ipa_query_tethering_stats_all( 
	int rc = 0;



	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3059,6 +3070,9 @@ int rmnet_ipa_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) 


	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);

drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c

+14 −0
Original line number Diff line number Diff line
@@ -2984,6 +2984,9 @@ int rmnet_ipa3_set_data_quota(struct wan_ioctl_set_data_quota *data) 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->interface_name[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->interface_name);
@@ -3276,6 +3279,10 @@ int rmnet_ipa3_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';

	data->tetherIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3310,6 +3317,10 @@ int rmnet_ipa3_query_tethering_stats_all( 
	int rc = 0;



	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3353,6 +3364,9 @@ int rmnet_ipa3_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) 


	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);