DivestOS/Patches/Linux_CVEs/CVE-2017-0453/qcacld-3.0/0002.patch

41 lines
1.2 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From a2959858f428acfca3ca4c61d3c10b446bfe9b60 Mon Sep 17 00:00:00 2001
From: Manjeet Singh <manjee@codeaurora.org>
Date: Tue, 3 Jan 2017 12:08:10 +0530
Subject: qcacld-3.0: Add buf len check in wlan_hdd_cfg80211_testmode
qcacld-2.0 to qcacld-3.0 propagation.
In __wlan_hdd_cfg80211_testmode API no checks are in place that
ensure that buflen is smaller or equal the size of the stack
variable hb_params. Hence, the vos_mem_copy() call can overflow
stack memory.
Add buf len check to avoid stack overflow
CRs-Fixed: 1105085
Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
---
core/hdd/src/wlan_hdd_cfg80211.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 98b0012..1f34e4c 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -14974,6 +14974,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
timePeriodSec == 0))
return -EINVAL;
+ if (buf_len > sizeof(*hb_params)) {
+ hdd_err("buf_len=%d exceeded hb_params size limit",
+ buf_len);
+ return -ERANGE;
+ }
+
hb_params =
(tSirLPHBReq *) qdf_mem_malloc(sizeof(tSirLPHBReq));
if (NULL == hb_params) {
--
cgit v1.1