From ff6440b26f7ba544396184b3e3b42784746173f3 Mon Sep 17 00:00:00 2001 From: Shake M Subhani Date: Wed, 6 Nov 2013 17:39:46 +0530 Subject: [PATCH] softap: sscanf sanity check for SoftAP service The sscanf return value is verified whether the three channel variables, i.e. start channel, end channel and channel band, are properly updated. If malformed input is given to sscanf, then these variables may not properly updated. To provide validation of input, verifying that sscanf returned a correct value of 3. Change-Id: Ibd185e7a0ffcf5803927990531fc33f0e8977cc9 CRs-fixed: 554349 --- softap/sdk/qsap_api.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/softap/sdk/qsap_api.c b/softap/sdk/qsap_api.c index a7c776b..7201094 100755 --- a/softap/sdk/qsap_api.c +++ b/softap/sdk/qsap_api.c @@ -1352,8 +1352,13 @@ int qsap_set_channel_range(s8 *buf) if (ENABLE != is_softap_enabled()) { strncpy(wrq.ifr_name, "wlan0", sizeof(wrq.ifr_name)); sta_chan_range.subioctl = WE_SET_SAP_CHANNELS; - sscanf(temp, "%d %d %d", &(sta_chan_range.stastartchan), + ret = sscanf(temp, "%d %d %d", &(sta_chan_range.stastartchan), &(sta_chan_range.staendchan), &(sta_chan_range.staband)); + if (3 != ret) { + ALOGE("%s : sscanf is not successful\n", __func__); + close(sock); + goto error; + } memcpy(wrq.u.name, (char *)(&sta_chan_range), sizeof(sta_chan_range)); ALOGE("%s :Softap is off,Send SET_CHANNEL_RANGE over sta interface\n", @@ -1361,8 +1366,13 @@ int qsap_set_channel_range(s8 *buf) ret = ioctl(sock, WLAN_PRIV_SET_THREE_INT_GET_NONE, &wrq); } else { strncpy(wrq.ifr_name, pif, sizeof(wrq.ifr_name)); - sscanf(temp, "%d %d %d", &(sap_chan_range.startchan), + ret = sscanf(temp, "%d %d %d", &(sap_chan_range.startchan), &(sap_chan_range.endchan), &(sap_chan_range.band)); + if (3 != ret) { + ALOGE("%s : sscanf is not successful\n", __func__); + close(sock); + goto error; + } memcpy(wrq.u.name, (char *)(&sap_chan_range), sizeof(sap_chan_range)); ALOGE("%s :SAP is on,Send SET_CHANNEL_RANGE over softap interface\n",