evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ipa: prevent string buffer overflows

Browse source 
In WAN ioctls user-supplied data structures
contain string members,but there's no guarantee
they're null-terminated, add the string terminator
to prevent vulnerability of string buffer overflows.

Change-Id: I17c06c94aa619a2cd3a678c495a31541a65a7741
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This commit is contained in:
Mohammed Javid 2017-09-26 12:51:14 +05:30
parent 502914e130
commit 92db5ba9ef
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
View file

@ -2682,6 +2682,9 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
enum ipa_upstream_type upstream_type;
int rc = 0;
/* prevent string buffer overflows */
data->interface_name[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->interface_name);
@ -2973,6 +2976,10 @@ int rmnet_ipa_query_tethering_stats(struct wan_ioctl_query_tether_stats *data,
enum ipa_upstream_type upstream_type;
int rc = 0;
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
data->tetherIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);
@ -3007,6 +3014,10 @@ int rmnet_ipa_query_tethering_stats_all(
int rc = 0;
memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);
@ -3050,6 +3061,9 @@ int rmnet_ipa_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data)
memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);

14
drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
View file

@ -2809,6 +2809,9 @@ int rmnet_ipa3_set_data_quota(struct wan_ioctl_set_data_quota *data)
enum ipa_upstream_type upstream_type;
int rc = 0;
/* prevent string buffer overflows */
data->interface_name[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->interface_name);
@ -3101,6 +3104,10 @@ int rmnet_ipa3_query_tethering_stats(struct wan_ioctl_query_tether_stats *data,
enum ipa_upstream_type upstream_type;
int rc = 0;
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
data->tetherIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);
@ -3135,6 +3142,10 @@ int rmnet_ipa3_query_tethering_stats_all(
int rc = 0;
memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);
@ -3178,6 +3189,9 @@ int rmnet_ipa3_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data)
memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats));
/* prevent string buffer overflows */
data->upstreamIface[IFNAMSIZ-1] = '\0';
/* get IPA backhaul type */
upstream_type = find_upstream_type(data->upstreamIface);