From 92db5ba9efe54fb6bbcf5d8433ca7a0529f4636e Mon Sep 17 00:00:00 2001 From: Mohammed Javid Date: Tue, 26 Sep 2017 12:51:14 +0530 Subject: [PATCH] msm: ipa: prevent string buffer overflows In WAN ioctls user-supplied data structures contain string members,but there's no guarantee they're null-terminated, add the string terminator to prevent vulnerability of string buffer overflows. Change-Id: I17c06c94aa619a2cd3a678c495a31541a65a7741 Acked-by: Ashok Vuyyuru Signed-off-by: Mohammed Javid --- drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 14 ++++++++++++++ drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c index 834712a71ac6..c3e5af343dcb 100644 --- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c @@ -2682,6 +2682,9 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data) enum ipa_upstream_type upstream_type; int rc = 0; + /* prevent string buffer overflows */ + data->interface_name[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->interface_name); @@ -2973,6 +2976,10 @@ int rmnet_ipa_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, enum ipa_upstream_type upstream_type; int rc = 0; + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + data->tetherIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface); @@ -3007,6 +3014,10 @@ int rmnet_ipa_query_tethering_stats_all( int rc = 0; memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats)); + + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface); @@ -3050,6 +3061,9 @@ int rmnet_ipa_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats)); + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface); diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c index 039bc7da5153..37cd333f689d 100644 --- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c @@ -2809,6 +2809,9 @@ int rmnet_ipa3_set_data_quota(struct wan_ioctl_set_data_quota *data) enum ipa_upstream_type upstream_type; int rc = 0; + /* prevent string buffer overflows */ + data->interface_name[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->interface_name); @@ -3101,6 +3104,10 @@ int rmnet_ipa3_query_tethering_stats(struct wan_ioctl_query_tether_stats *data, enum ipa_upstream_type upstream_type; int rc = 0; + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + data->tetherIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface); @@ -3135,6 +3142,10 @@ int rmnet_ipa3_query_tethering_stats_all( int rc = 0; memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats)); + + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface); @@ -3178,6 +3189,9 @@ int rmnet_ipa3_reset_tethering_stats(struct wan_ioctl_reset_tether_stats *data) memset(&tether_stats, 0, sizeof(struct wan_ioctl_query_tether_stats)); + /* prevent string buffer overflows */ + data->upstreamIface[IFNAMSIZ-1] = '\0'; + /* get IPA backhaul type */ upstream_type = find_upstream_type(data->upstreamIface);