Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a204290b authored by Sourav Mohapatra's avatar Sourav Mohapatra
Browse files

qcacld-3.0: Validate user input for null termination 

In hdd_dns_make_name_query() the parameter string is a user controlled
input. The driver assumes that the input is null terminated string and
accordingly the exit condition of the loop is specified. In case the
user sends input with no null termination then it can lead to possible
OOB scenario.

Add a null termination validation on the string so that any erroneous
input is filtered.

Change-Id: I2abb4875569c508179c4488347f7c9aae0666332
CRs-Fixed: 2342812
parent 638930eb

core/hdd/src/wlan_hdd_cfg80211.c

+14 −4
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -10898,11 +10898,17 @@ static inline uint8_t *hdd_dns_unmake_name_query(uint8_t *name) 
 *

 * Return: Byte following constructed DNS name

 */

static uint8_t *hdd_dns_make_name_query(const uint8_t *string, uint8_t *buf)

static uint8_t *hdd_dns_make_name_query(const uint8_t *string,

					uint8_t *buf, uint8_t len)

{

	uint8_t *length_byte = buf++;

	uint8_t c;









	if (string[len - 1]) {









		hdd_debug("DNS name is not null terminated");









		return NULL;









	}

















	while ((c = *(string++))) {









		if (c == '.') {









			*length_byte = buf - length_byte - 1;








@@ -10991,8 +10997,12 @@ static int hdd_set_clear_connectivity_check_stats_info(







					adapter->track_dns_domain_len =









						nla_len(tb2[









							STATS_DNS_DOMAIN_NAME]);









					hdd_dns_make_name_query(domain_name,









							adapter->dns_payload);









					if (!hdd_dns_make_name_query(









						domain_name,









						adapter->dns_payload,









						adapter->track_dns_domain_len))









						adapter->track_dns_domain_len =









							0;









					/* DNStracking isn't supported in FW. */









					arp_stats_params->pkt_type_bitmap &=









						~CONNECTIVITY_CHECK_SET_DNS;