DivestOS/Patches/Linux_CVEs/CVE-2016-10283/qcacld-3.0/0002.patch

From d60a5839ba987e2c9d365fef950cae0c9ad11010 Mon Sep 17 00:00:00 2001
From: SaidiReddy Yenuga <saidir@codeaurora.org>
Date: Tue, 21 Feb 2017 13:05:26 +0530
Subject: qcacld-3.0: Trim operation classes to max supported in change station

qcacld-2.0 to qcacld-3.0 Propagation.

Operation classes supported can be controlled by user, which can
be sent greater than the max supported operations. This results
in stack overflow in change station command.

Add check to validate operations supported param given by user
and if it exceeds max supported value, set it to max supported
value.

CRs-Fixed: 2002052
Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
---
 core/hdd/src/wlan_hdd_cfg80211.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 2ac8896..8f13919 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -10513,6 +10513,14 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
 				hdd_notice("After removing duplcates StaParams.supported_channels_len: %d",
 					  StaParams.supported_channels_len);
 			}
+			if (params->supported_oper_classes_len >
+			    CDS_MAX_SUPP_OPER_CLASSES) {
+				hdd_notice("received oper classes:%d, resetting it to max supported: %d",
+					  params->supported_oper_classes_len,
+					  CDS_MAX_SUPP_OPER_CLASSES);
+				params->supported_oper_classes_len =
+					CDS_MAX_SUPP_OPER_CLASSES;
+			}
 			qdf_mem_copy(StaParams.supported_oper_classes,
 				     params->supported_oper_classes,
 				     params->supported_oper_classes_len);
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From d60a5839ba987e2c9d365fef950cae0c9ad11010 Mon Sep 17 00:00:00 2001`
			`From: SaidiReddy Yenuga <saidir@codeaurora.org>`
			`Date: Tue, 21 Feb 2017 13:05:26 +0530`
			`Subject: qcacld-3.0: Trim operation classes to max supported in change station`

			`qcacld-2.0 to qcacld-3.0 Propagation.`

			`Operation classes supported can be controlled by user, which can`
			`be sent greater than the max supported operations. This results`
			`in stack overflow in change station command.`

			`Add check to validate operations supported param given by user`
			`and if it exceeds max supported value, set it to max supported`
			`value.`

			`CRs-Fixed: 2002052`
			`Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c`
			`---`
			`core/hdd/src/wlan_hdd_cfg80211.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c`
			`index 2ac8896..8f13919 100644`
			`--- a/core/hdd/src/wlan_hdd_cfg80211.c`
			`+++ b/core/hdd/src/wlan_hdd_cfg80211.c`
			`@@ -10513,6 +10513,14 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,`
			`hdd_notice("After removing duplcates StaParams.supported_channels_len: %d",`
			`StaParams.supported_channels_len);`
			`}`
			`+ if (params->supported_oper_classes_len >`
			`+ CDS_MAX_SUPP_OPER_CLASSES) {`
			`+ hdd_notice("received oper classes:%d, resetting it to max supported: %d",`
			`+ params->supported_oper_classes_len,`
			`+ CDS_MAX_SUPP_OPER_CLASSES);`
			`+ params->supported_oper_classes_len =`
			`+ CDS_MAX_SUPP_OPER_CLASSES;`
			`+ }`
			`qdf_mem_copy(StaParams.supported_oper_classes,`
			`params->supported_oper_classes,`
			`params->supported_oper_classes_len);`
			`--`
			`cgit v1.1`