DivestOS/Patches/Linux_CVEs/CVE-2017-0441/qcacld-3.0/0002.patch

From e578706506f98a4962220066d92d81e853ac7212 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Tue, 29 Nov 2016 08:54:18 -0800
Subject: qcacld-3.0: Avoid overflow of "significant change" params

This is a qcacld-2.0 to qcacld-3.0 propagation.

The wlan driver supports the following vendor command:
	QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE

This command supplies a "number of APs" attribute as well as a list of
per-AP attributes.  However there is no validation that the number of
APs provided won't overflow the destination buffer.  In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.

To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
  allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
  expected number of APs
* Only process the actual number of supplied APs if it is less than
  the expected number of APs.

Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
CRs-Fixed: 1095009
---
 core/hdd/src/wlan_hdd_ext_scan.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index 86a51f7..320ea3c 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
@@ -2320,6 +2320,13 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
 	pReqMsg->numAp =
 		nla_get_u32(tb
 		    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
+	if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
+		hdd_err("Number of AP %u exceeds max %u",
+			pReqMsg->numAp,
+			WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
+		goto fail;
+	}
+
 	pReqMsg->sessionId = pAdapter->sessionId;
 	hdd_notice("Number of AP %d Session Id %d",
 		pReqMsg->numAp, pReqMsg->sessionId);
@@ -2328,6 +2335,12 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
 	nla_for_each_nested(apTh,
 			    tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM],
 			    rem) {
+
+		if (i == pReqMsg->numAp) {
+			hdd_warn("Ignoring excess AP");
+			break;
+		}
+
 		if (nla_parse
 		    (tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
 		    nla_data(apTh), nla_len(apTh),
@@ -2372,6 +2385,11 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
 
 		i++;
 	}
+	if (i < pReqMsg->numAp) {
+		hdd_warn("Number of AP %u less than expected %u",
+			 i, pReqMsg->numAp);
+		pReqMsg->numAp = i;
+	}
 
 	context = &ext_scan_context;
 	spin_lock(&context->context_lock);
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From e578706506f98a4962220066d92d81e853ac7212 Mon Sep 17 00:00:00 2001`
			`From: Jeff Johnson <jjohnson@codeaurora.org>`
			`Date: Tue, 29 Nov 2016 08:54:18 -0800`
			`Subject: qcacld-3.0: Avoid overflow of "significant change" params`

			`This is a qcacld-2.0 to qcacld-3.0 propagation.`

			`The wlan driver supports the following vendor command:`
			`QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE`

			`This command supplies a "number of APs" attribute as well as a list of`
			`per-AP attributes. However there is no validation that the number of`
			`APs provided won't overflow the destination buffer. In addition there`
			`is no validation that the number of APs actually provided matches the`
			`number of APs expected.`

			`To address these issues:`
			`* Verify that the expected number of APs doesn't exceed the maximum`
			`allowed number of APs`
			`* Verify that the actual number of APs supplied doesn't exceed the`
			`expected number of APs`
			`* Only process the actual number of supplied APs if it is less than`
			`the expected number of APs.`

			`Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77`
			`CRs-Fixed: 1095009`
			`---`
			`core/hdd/src/wlan_hdd_ext_scan.c \| 18 ++++++++++++++++++`
			`1 file changed, 18 insertions(+)`

			`diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c`
			`index 86a51f7..320ea3c 100644`
			`--- a/core/hdd/src/wlan_hdd_ext_scan.c`
			`+++ b/core/hdd/src/wlan_hdd_ext_scan.c`
			`@@ -2320,6 +2320,13 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,`
			`pReqMsg->numAp =`
			`nla_get_u32(tb`
			`[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);`
			`+ if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {`
			`+ hdd_err("Number of AP %u exceeds max %u",`
			`+ pReqMsg->numAp,`
			`+ WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);`
			`+ goto fail;`
			`+ }`
			`+`
			`pReqMsg->sessionId = pAdapter->sessionId;`
			`hdd_notice("Number of AP %d Session Id %d",`
			`pReqMsg->numAp, pReqMsg->sessionId);`
			`@@ -2328,6 +2335,12 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,`
			`nla_for_each_nested(apTh,`
			`tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM],`
			`rem) {`
			`+`
			`+ if (i == pReqMsg->numAp) {`
			`+ hdd_warn("Ignoring excess AP");`
			`+ break;`
			`+ }`
			`+`
			`if (nla_parse`
			`(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,`
			`nla_data(apTh), nla_len(apTh),`
			`@@ -2372,6 +2385,11 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,`

			`i++;`
			`}`
			`+ if (i < pReqMsg->numAp) {`
			`+ hdd_warn("Number of AP %u less than expected %u",`
			`+ i, pReqMsg->numAp);`
			`+ pReqMsg->numAp = i;`
			`+ }`

			`context = &ext_scan_context;`
			`spin_lock(&context->context_lock);`
			`--`
			`cgit v1.1`