qcacld-3.0: Validate user input for null termination

In hdd_dns_make_name_query() the parameter string is a user controlled input. The driver assumes that the input is null terminated string and accordingly the exit condition of the loop is specified. In case the user sends input with no null termination then it can lead to possible OOB scenario. Add a null termination validation on the string so that any erroneous input is filtered. Change-Id: I2abb4875569c508179c4488347f7c9aae0666332 CRs-Fixed: 2342812 Bug: 125746836 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com> Signed-off-by: Adam W. Willis <return.of.octobot@gmail.com>
0ctobot · Apr 6, 2019 · 582b351 · 582b351
1 parent fc3ded1
commit 582b351
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_cfg80211.c
@@ -10818,11 +10818,17 @@ static inline uint8_t *hdd_dns_unmake_name_query(uint8_t *name)
  *
  * Return: Byte following constructed DNS name
  */
-static uint8_t *hdd_dns_make_name_query(const uint8_t *string, uint8_t *buf)
+static uint8_t *hdd_dns_make_name_query(const uint8_t *string,
+					uint8_t *buf, uint8_t len)
 {
 	uint8_t *length_byte = buf++;
 	uint8_t c;
 
+	if (string[len - 1]) {
+		hdd_debug("DNS name is not null terminated");
+		return NULL;
+	}
+
 	while ((c = *(string++))) {
 		if (c == '.') {
 			*length_byte = buf - length_byte - 1;
@@ -10911,8 +10917,12 @@ static int hdd_set_clear_connectivity_check_stats_info(
 					adapter->track_dns_domain_len =
 						nla_len(tb2[
 							STATS_DNS_DOMAIN_NAME]);
-					hdd_dns_make_name_query(domain_name,
-							adapter->dns_payload);
+					if (!hdd_dns_make_name_query(
+						domain_name,
+						adapter->dns_payload,
+						adapter->track_dns_domain_len))
+						adapter->track_dns_domain_len =
+							0;
 					/* DNStracking isn't supported in FW. */
 					arp_stats_params->pkt_type_bitmap &=
 						~CONNECTIVITY_CHECK_SET_DNS;