him411/nss-packages-breeze303
1
0
Fork 0
mirror of https://github.com/breeze303/nss-packages.git synced 2025-12-16 16:57:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
2b94eaf3ba
nss-packages-breeze303/qca-nss-ecm/patches/0017-ecm-interface-fix-fortify_memcpy_chk.patch
Sean Khan 1af6cec02b nss-ecm: Refresh patches for 12.5.5 
Signed-off-by: Sean Khan <datapronix@protonmail.com>
2024-09-21 19:51:08 -04:00

54 lines
2.1 KiB
Diff
Raw Blame History

--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -8537,7 +8537,7 @@ static int ecm_interface_wifi_event_iwev
/*
* Copy the base data structure to get iwe->len
*/
- memcpy(&iwe_buf, pos, IW_EV_LCP_LEN);
+ memcpy(&iwe_buf, pos, min_t(size_t, IW_EV_LCP_LEN, (size_t)(end - pos)));
/*
* Check that len is valid and that we have that much in the buffer.
@@ -8554,10 +8554,10 @@ static int ecm_interface_wifi_event_iwev
dpos = (char *)&iwe_buf.u.data.length;
dlen = dpos - (char *)&iwe_buf;
- memcpy(dpos, pos + IW_EV_LCP_LEN, sizeof(struct iw_event) - dlen);
+ memcpy(dpos, pos + IW_EV_LCP_LEN, min_t(size_t, sizeof(struct iw_event) - dlen, (size_t)(end - pos - IW_EV_LCP_LEN)));
if (custom + iwe->u.data.length > end) {
- DEBUG_WARN("Invalid buffer length received in the event iwe->u.data.length %d\n", iwe->u.data.length);
+ DEBUG_WARN("Invalid buffer length received in the event iwe->u.data.length %d\n", (int)iwe->u.data.length);
return -1;
}
@@ -8565,7 +8565,7 @@ static int ecm_interface_wifi_event_iwev
* Check the flags of iw event if it indicates the IW authorized signal.
*/
if (iwe->u.data.flags == ECM_INTERFACE_WIFI_EVENT_NODE_AUTH) {
- dbuf = kzalloc((iwe->u.data.length + 1), GFP_KERNEL);
+ dbuf = kzalloc(iwe->u.data.length, GFP_KERNEL);
if (!dbuf) {
DEBUG_WARN("Failed to allocated a buffer to process the custom event");
return -1;
@@ -8588,16 +8588,16 @@ static int ecm_interface_wifi_event_iwev
return 0;
}
- if ((iwe->len > sizeof(struct iw_event)) || (iwe->len + pos) > end) {
+ if ((iwe->len > sizeof(struct iw_event)) || (iwe->len + pos > end)) {
return -1;
}
/*
* Do the copy again with the full length.
*/
- memcpy(&iwe_buf, pos, iwe->len);
+ memcpy(&iwe_buf, pos, min_t(size_t, iwe->len, (size_t)(end - pos)));
- if (iwe->cmd == IWEVEXPIRED) {
+ if (iwe->cmd == IWEVEXPIRED && iwe->len >= sizeof(struct iw_event)) {
DEBUG_INFO("STA %pM leaving\n", (uint8_t *)iwe->u.addr.sa_data);
ecm_interface_node_connections_defunct((uint8_t *)iwe->u.addr.sa_data, ECM_DB_IP_VERSION_IGNORE);
} else {
Reference in New Issue View Git Blame Copy Permalink