mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-09 06:38:02 -05:00
179 lines
7.9 KiB
Diff
179 lines
7.9 KiB
Diff
|
From 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d Mon Sep 17 00:00:00 2001
|
||
|
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
|
||
|
Date: Tue, 27 Oct 2015 21:56:28 +0530
|
||
|
Subject: qcacld 2.0: Validate ioctls for valid input length
|
||
|
|
||
|
prima to qcacld-2.0 propagation
|
||
|
|
||
|
Return failure to applications if ioctl is invoked with arguments
|
||
|
of improper length.
|
||
|
|
||
|
Change-Id: I01589f37996510ee130485ef43e1f36811692e28
|
||
|
CRs-Fixed: 930542
|
||
|
---
|
||
|
CORE/HDD/src/wlan_hdd_hostapd.c | 61 +++++++++++++++++++++++++++++++----------
|
||
|
1 file changed, 47 insertions(+), 14 deletions(-)
|
||
|
|
||
|
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
index 881400e..e4e1a63 100644
|
||
|
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
@@ -5186,9 +5186,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
case DOT11F_EID_WPA:
|
||
|
if (wps_genie[1] < 2 + 4)
|
||
|
{
|
||
|
- vos_mem_free(pSap_WPSIe);
|
||
|
- kfree(fwps_genie);
|
||
|
- return -EINVAL;
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
}
|
||
|
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
|
||
|
{
|
||
|
@@ -5246,6 +5245,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
|
||
|
pos += length;
|
||
|
@@ -5260,9 +5264,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
|
||
|
default:
|
||
|
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
|
||
|
- vos_mem_free(pSap_WPSIe);
|
||
|
- kfree(fwps_genie);
|
||
|
- return -EINVAL;
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
@@ -5274,9 +5277,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
|
||
|
default:
|
||
|
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
|
||
|
- vos_mem_free(pSap_WPSIe);
|
||
|
- kfree(fwps_genie);
|
||
|
- return 0;
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
}
|
||
|
}
|
||
|
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
|
||
|
@@ -5288,9 +5290,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
case DOT11F_EID_WPA:
|
||
|
if (wps_genie[1] < 2 + 4)
|
||
|
{
|
||
|
- vos_mem_free(pSap_WPSIe);
|
||
|
- kfree(fwps_genie);
|
||
|
- return -EINVAL;
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
}
|
||
|
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
|
||
|
{
|
||
|
@@ -5354,6 +5355,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
|
||
|
pos += length;
|
||
|
@@ -5363,6 +5369,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
|
||
|
@@ -5373,6 +5384,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
|
||
|
@@ -5382,6 +5398,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
|
||
|
@@ -5391,6 +5412,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
|
||
|
@@ -5414,6 +5440,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
pos += 2;
|
||
|
length = *pos<<8 | *(pos+1);
|
||
|
pos += 2;
|
||
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
|
||
|
+ {
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
|
||
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
|
||
|
pos += length;
|
||
|
@@ -5450,6 +5481,8 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
#else
|
||
|
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
|
||
|
#endif
|
||
|
+ if (halStatus != eHAL_STATUS_SUCCESS)
|
||
|
+ ret = -EINVAL;
|
||
|
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
|
||
|
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
|
||
|
{
|
||
|
@@ -5461,11 +5494,11 @@ static int __iw_softap_setwpsie(struct net_device *dev,
|
||
|
WLANSAP_Update_WpsIe ( pVosContext );
|
||
|
#endif
|
||
|
}
|
||
|
-
|
||
|
+exit:
|
||
|
vos_mem_free(pSap_WPSIe);
|
||
|
kfree(fwps_genie);
|
||
|
EXIT();
|
||
|
- return halStatus;
|
||
|
+ return ret;
|
||
|
}
|
||
|
|
||
|
static int iw_softap_setwpsie(struct net_device *dev,
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|