DivestOS/Patches/Linux_CVEs/CVE-2017-9715/ANY/0.patch

51 lines
2.3 KiB
Diff
Raw Normal View History

From 58350a7bcb827c0ac81f0750a62d5c5a8ed3a469 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Tue, 6 Jun 2017 08:56:33 -0700
Subject: qcacld-2.0: Avoid extscan bucket spec overread
Currently in hdd_extscan_start_fill_bucket_channel_spec() the
QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without
specifying a policy. This means that no policy is enforced.
Subsequently the values of the nested attributes are retrieved, but
again without any length limits enforced. This could result in a
buffer overread.
To prevent this issue:
* Parse using the existing policy wlan_hdd_extscan_config_policy
* Update the policy to add missing attributes
Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533
CRs-Fixed: 2057034
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 1f6be81..078b4fd 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -850,6 +850,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD] = { .type = NLA_U32 },
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE] = { .type = NLA_U32 },
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT] = { .type = NLA_U32 },
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
.len = IEEE80211_MAX_SSID_LEN + 1 },
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
@@ -3533,8 +3536,9 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
}
if (nla_parse(bucket,
- QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
- nla_data(buckets), nla_len(buckets), NULL)) {
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
+ nla_data(buckets), nla_len(buckets),
+ wlan_hdd_extscan_config_policy)) {
hddLog(LOGE, FL("nla_parse failed"));
return -EINVAL;
}
--
cgit v1.1