mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-03 20:00:56 -05:00
80 lines
3.0 KiB
Diff
80 lines
3.0 KiB
Diff
|
From b7fb46c77af4623291f53a5453df733b8fb1fe18 Mon Sep 17 00:00:00 2001
|
||
|
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
|
||
|
Date: Fri, 20 Jan 2017 17:32:53 -0800
|
||
|
Subject: [PATCH] net: wireless: bcmdhd: Heap overflow in wl_run_escan.
|
||
|
|
||
|
1) The default_chan_list buffer overflow is avoided by checking
|
||
|
n_nodfs index does not exceed num_chans, which is the length
|
||
|
of default_chan_list buffer.
|
||
|
2) The SSID length check 32(max limit) is done and then the SSID
|
||
|
name copied in extra buffer is null terminated. The extra buffer
|
||
|
is allocated a length of of 33 in wl_iw_ioctl.c.
|
||
|
3) Issue of chances of cumulative results->pkt_count length
|
||
|
exceeding allocated memory length of results->total_count is
|
||
|
avoided in this fix. change_array is the destination array
|
||
|
whose length is allocated to results->total_count.
|
||
|
|
||
|
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
|
||
|
|
||
|
Bug: 34197514
|
||
|
Bug: 34199963
|
||
|
Bug: 34198729
|
||
|
|
||
|
Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
|
||
|
---
|
||
|
drivers/net/wireless/bcmdhd/dhd_pno.c | 12 +++++++++++-
|
||
|
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++++-
|
||
|
2 files changed, 19 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
index ec2c347ca6219..95bfe2729855f 100644
|
||
|
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
@@ -3622,7 +3622,17 @@ void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_
|
||
|
}
|
||
|
|
||
|
change_array = ¶ms->change_array[params->results_rxed_so_far];
|
||
|
- memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
|
||
|
+ if ((params->results_rxed_so_far + results->pkt_count) >
|
||
|
+ results->total_count) {
|
||
|
+ DHD_ERROR(("Error: Invalid data reset the counters!!\n"));
|
||
|
+ *send_evt_bytes = 0;
|
||
|
+ kfree(params->change_array);
|
||
|
+ params->change_array = NULL;
|
||
|
+ return ptr;
|
||
|
+ }
|
||
|
+
|
||
|
+ memcpy(change_array, results->list,
|
||
|
+ sizeof(wl_pfn_significant_net_t) * results->pkt_count);
|
||
|
params->results_rxed_so_far += results->pkt_count;
|
||
|
|
||
|
if (params->results_rxed_so_far == results->total_count) {
|
||
|
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
index 6cadcb56582be..063d49015e5a6 100644
|
||
|
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||
|
@@ -2288,6 +2288,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
|
||
|
/* allows only supported channel on
|
||
|
* current reguatory
|
||
|
*/
|
||
|
+ if (n_nodfs >= num_chans)
|
||
|
+ break;
|
||
|
+
|
||
|
if (channel == (dtoh32(list->element[j])))
|
||
|
default_chan_list[n_nodfs++] =
|
||
|
channel;
|
||
|
@@ -9315,8 +9318,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
|
||
|
struct wiphy *wiphy = bcmcfg_to_wiphy(cfg);
|
||
|
#endif /* GSCAN_SUPPORT */
|
||
|
|
||
|
- WL_ERR((">>> PNO Event\n"));
|
||
|
+ if (!data) {
|
||
|
+ WL_ERR(("Data is NULL!\n"));
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
|
||
|
+ WL_DBG((">>> PNO Event\n"));
|
||
|
ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
|
||
|
|
||
|
#ifdef GSCAN_SUPPORT
|