diff options
| author | Jeff Johnson <jjohnson@codeaurora.org> | 2016-11-29 08:19:13 -0800 |
|---|---|---|
| committer | Joey Rizzoli <joey@lineageos.org> | 2017-06-14 23:00:20 +0200 |
| commit | 495a6a46f3d4626bf24ff56cb5ae1a3f4390f75f (patch) | |
| tree | 11c2d160c8efc29e7e72bd41ee4fb1c29a2c0b57 | |
| parent | 31696b03153c08324e4c4623be82deeb5161b737 (diff) | |
prima: Avoid overflow of "significant change" params
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
CRs-Fixed: 1095009
| -rw-r--r-- | drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c index dfc4562fbd8..6620b5ea2ac 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -3695,6 +3695,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph } pReqMsg->numAp = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]); + if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) { + hddLog(LOGE, FL("Number of AP %u exceeds max %u"), + pReqMsg->numAp, WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS); + goto fail; + } hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numAp); pReqMsg->sessionId = pAdapter->sessionId; @@ -3702,6 +3707,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph nla_for_each_nested(apTh, tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) { + + if (i == pReqMsg->numAp) { + hddLog(LOGW, FL("Ignoring excess AP")); + break; + } + if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX, nla_data(apTh), nla_len(apTh), @@ -3750,6 +3761,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiph i++; } + if (i < pReqMsg->numAp) { + hddLog(LOGW, FL("Number of AP %u less than expected %u"), + i, pReqMsg->numAp); + pReqMsg->numAp = i; + } + status = sme_SetSignificantChange(pHddCtx->hHal, pReqMsg); if (!HAL_STATUS_SUCCESS(status)) { hddLog(VOS_TRACE_LEVEL_ERROR, |