DivestOS/Patches/Linux_CVEs/CVE-2016-3797/qcacld-2.0/0001.patch

61 lines
2.2 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From fdda9c0af64d6e5cdf006e2d8dd57e655821a962 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
Date: Sun, 10 Apr 2016 00:35:17 -0700
Subject: qcacld-2.0: Fix buffer overwrite problem in CCXPLMREQ
Set the number of channels to minimum of input data and
WNI_CFG_VALID_CHANNEL_LIST_LEN.
Change-Id: Ib6fca483ac99cddfcd3b739ce62e86ecd498f1f5
CRs-Fixed: 1001450
---
CORE/HDD/src/wlan_hdd_main.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index a6249e1..38452eb 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -3002,8 +3002,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
if (content < 0)
return eHAL_STATUS_FAILURE;
+ content = VOS_MIN(content, WNI_CFG_VALID_CHANNEL_LIST_LEN);
pPlmRequest->plmNumCh = content;
- hddLog(VOS_TRACE_LEVEL_DEBUG, "numch %d", pPlmRequest->plmNumCh);
+ hddLog(LOG1, FL("Numch: %d"), pPlmRequest->plmNumCh);
/* Channel numbers */
for (count = 0; count < pPlmRequest->plmNumCh; count++)
@@ -3021,10 +3022,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
if (1 != ret) return eHAL_STATUS_FAILURE;
ret = kstrtos32(buf, 10, &content);
- if ( ret < 0) return eHAL_STATUS_FAILURE;
-
- if (content <= 0)
- return eHAL_STATUS_FAILURE;
+ if (ret < 0 || content <= 0 ||
+ content > WNI_CFG_CURRENT_CHANNEL_STAMAX)
+ return eHAL_STATUS_FAILURE;
pPlmRequest->plmChList[count]= content;
hddLog(VOS_TRACE_LEVEL_DEBUG, " ch- %d",
@@ -6464,11 +6464,11 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
{
tANI_U8 *value = command;
eHalStatus status = eHAL_STATUS_SUCCESS;
- tpSirPlmReq pPlmRequest = NULL;
+ tpSirPlmReq pPlmRequest;
pPlmRequest = vos_mem_malloc(sizeof(tSirPlmReq));
if (NULL == pPlmRequest){
- ret = -EINVAL;
+ ret = -ENOMEM;
goto exit;
}
--
cgit v1.1