Merge "wpa_supplicant_lib: Fix integer overflow in result_copy_to_buf" into wlan-aosp.lnx.13.0
diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
index 00cdae7..8fb06cb 100644
--- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
+++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
@@ -3899,16 +3899,19 @@
char *result_copy_to_buf(char *src, char *dst_buf, int *dst_len)
{
- int str_len, remaining = 0;
+ size_t str_len, remaining = 0;
+
+ if (!dst_buf || *dst_len < 0)
+ return NULL;
remaining = *dst_len;
str_len = strlen(src);
- remaining = remaining - (str_len + 1);
- if (remaining <= 0) {
- wpa_printf(MSG_ERROR, "destination buffer length not enough");
+ if (remaining > 0 && (remaining - 1) > str_len)
+ remaining = remaining - (str_len + 1);
+ else
return NULL;
- }
+
os_memcpy(dst_buf, src, str_len);
*dst_len = remaining;