mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 23:19:31 -05:00
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
|
From 68acc6ab1474e9dde68880a7856e8a74ff86aa19 Mon Sep 17 00:00:00 2001
|
||
|
From: Insun Song <insun.song@broadcom.com>
|
||
|
Date: Mon, 5 Jun 2017 10:21:10 -0700
|
||
|
Subject: net: wireless: bcmdhd: adding boudary check in wl_escan_handler
|
||
|
|
||
|
WLC_E_ESCAN_RESULT event could be manipulated especially two length field
|
||
|
inside, one is for escan_result buffer length and another one is
|
||
|
bss_info length, the forged fields may bypass current length check and
|
||
|
corrupt kernel heap memory.
|
||
|
|
||
|
so added checking validation for two length fields in WLC_E_ESCAN_RESULT
|
||
|
event.
|
||
|
|
||
|
Signed-off-by: Insun Song <insun.song@broadcom.com>
|
||
|
Bug: 37351060
|
||
|
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
|
||
|
---
|
||
|
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 7 +++++++
|
||
|
1 file changed, 7 insertions(+)
|
||
|
|
||
|
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
index 021f69f7..d8c748d 100644
|
||
|
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
@@ -10513,6 +10513,13 @@ static s32 wl_escan_handler(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
|
||
|
WL_ERR(("Invalid escan result (NULL pointer)\n"));
|
||
|
goto exit;
|
||
|
}
|
||
|
+ if ((dtoh32(escan_result->buflen) > ESCAN_BUF_SIZE) ||
|
||
|
+ (dtoh32(escan_result->buflen) <
|
||
|
+ sizeof(wl_escan_result_t))) {
|
||
|
+ WL_ERR(("Invalid escan buffer len:%d\n",
|
||
|
+ dtoh32(escan_result->buflen)));
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
if (dtoh16(escan_result->bss_count) != 1) {
|
||
|
WL_ERR(("Invalid bss_count %d: ignoring\n", escan_result->bss_count));
|
||
|
goto exit;
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|