DivestOS/Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch

From 054ce0761e900c5f63089393f8b6cadf17d55ade Mon Sep 17 00:00:00 2001
From: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>
Date: Fri, 27 Jan 2017 16:43:45 +0530
Subject: prima: Avoid overflow of "set_bssid_hotlist" params

qcacld2.0 to prima propgation

The wlan driver supports the following vendor command:
      QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST

This command supplies a "number of APs" attribute as well as a list of
per-AP attributes.  However there is no validation that the number of
APs provided won't overflow the destination buffer.  In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.

To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
  allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
  expected number of APs
* Only process the actual number of supplied APs if it is less than
  the expected number of APs.

Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
CRs-Fixed: 1095770
---
 CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 8aa38d1..f130174 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -3764,10 +3764,20 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
 
     pReqMsg->numBssid = nla_get_u32(
               tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
+    if (pReqMsg->numBssid > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
+        hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
+               pReqMsg->numBssid, WLAN_EXTSCAN_MAX_HOTLIST_APS);
+        goto fail;
+    }
     hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numBssid);
 
     nla_for_each_nested(apTh,
                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
+        if (i == pReqMsg->numBssid) {
+            hddLog(LOGW, FL("Ignoring excess AP"));
+            break;
+        }
+
         if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
                 nla_data(apTh), nla_len(apTh),
                 NULL)) {
@@ -3806,6 +3816,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
         i++;
     }
 
+    if (i < pReqMsg->numBssid) {
+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
+               i, pReqMsg->numBssid);
+        pReqMsg->numBssid = i;
+    }
+
     context = &pHddCtx->ext_scan_context;
     spin_lock(&hdd_context_lock);
     INIT_COMPLETION(context->response_event);
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 054ce0761e900c5f63089393f8b6cadf17d55ade Mon Sep 17 00:00:00 2001`
			`From: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>`
			`Date: Fri, 27 Jan 2017 16:43:45 +0530`
			`Subject: prima: Avoid overflow of "set_bssid_hotlist" params`

			`qcacld2.0 to prima propgation`

			`The wlan driver supports the following vendor command:`
			`QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST`

			`This command supplies a "number of APs" attribute as well as a list of`
			`per-AP attributes. However there is no validation that the number of`
			`APs provided won't overflow the destination buffer. In addition there`
			`is no validation that the number of APs actually provided matches the`
			`number of APs expected.`

			`To address these issues:`
			`* Verify that the expected number of APs doesn't exceed the maximum`
			`allowed number of APs`
			`* Verify that the actual number of APs supplied doesn't exceed the`
			`expected number of APs`
			`* Only process the actual number of supplied APs if it is less than`
			`the expected number of APs.`

			`Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5`
			`CRs-Fixed: 1095770`
			`---`
			`CORE/HDD/src/wlan_hdd_cfg80211.c \| 16 ++++++++++++++++`
			`1 file changed, 16 insertions(+)`

			`diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`index 8aa38d1..f130174 100644`
			`--- a/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`@@ -3764,10 +3764,20 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,`

			`pReqMsg->numBssid = nla_get_u32(`
			`tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);`
			`+ if (pReqMsg->numBssid > WLAN_EXTSCAN_MAX_HOTLIST_APS) {`
			`+ hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),`
			`+ pReqMsg->numBssid, WLAN_EXTSCAN_MAX_HOTLIST_APS);`
			`+ goto fail;`
			`+ }`
			`hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numBssid);`

			`nla_for_each_nested(apTh,`
			`tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {`
			`+ if (i == pReqMsg->numBssid) {`
			`+ hddLog(LOGW, FL("Ignoring excess AP"));`
			`+ break;`
			`+ }`
			`+`
			`if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,`
			`nla_data(apTh), nla_len(apTh),`
			`NULL)) {`
			`@@ -3806,6 +3816,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,`
			`i++;`
			`}`

			`+ if (i < pReqMsg->numBssid) {`
			`+ hddLog(LOGW, FL("Number of AP %u less than expected %u"),`
			`+ i, pReqMsg->numBssid);`
			`+ pReqMsg->numBssid = i;`
			`+ }`
			`+`
			`context = &pHddCtx->ext_scan_context;`
			`spin_lock(&hdd_context_lock);`
			`INIT_COMPLETION(context->response_event);`
			`--`
			`cgit v1.1`