Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 92db5ba9 authored by Mohammed Javid's avatar Mohammed Javid
Browse files

msm: ipa: prevent string buffer overflows 



In WAN ioctls user-supplied data structures
contain string members,but there's no guarantee
they're null-terminated, add the string terminator
to prevent vulnerability of string buffer overflows.

Change-Id: I17c06c94aa619a2cd3a678c495a31541a65a7741
Acked-by: default avatarAshok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: default avatarMohammed Javid <mjavid@codeaurora.org>
parent 502914e1

drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c

+14 −0
Original line number Diff line number Diff line
@@ -2682,6 +2682,9 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data) 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->interface_name[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->interface_name);
@@ -2973,6 +2976,10 @@ int rmnet_ipa_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';

	data->tetherIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3007,6 +3014,10 @@ int rmnet_ipa_query_tethering_stats_all( 
	int rc = 0;



	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3050,6 +3061,9 @@ int rmnet_ipa_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) 


	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);

drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c

+14 −0
Original line number Diff line number Diff line
@@ -2809,6 +2809,9 @@ int rmnet_ipa3_set_data_quota(struct wan_ioctl_set_data_quota *data) 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->interface_name[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->interface_name);
@@ -3101,6 +3104,10 @@ int rmnet_ipa3_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, 
	enum ipa_upstream_type upstream_type;

	int rc = 0;



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';

	data->tetherIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3135,6 +3142,10 @@ int rmnet_ipa3_query_tethering_stats_all( 
	int rc = 0;



	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);
@@ -3178,6 +3189,9 @@ int rmnet_ipa3_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) 


	memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));



	/* prevent string buffer overflows */

	data->upstreamIface[IFNAMSIZ-1] = '\0';



	/* get IPA backhaul type */

	upstream_type = find_upstream_type(data->upstreamIface);