2017-11-07 18:55:10 -05:00
|
|
|
From 72d3908cc1bcb075015f1b86001f4292ac41d38a Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
|
2017-11-07 18:55:10 -05:00
|
|
|
Date: Wed, 13 Apr 2016 09:19:31 -0700
|
|
|
|
Subject: qcacld 2.0: Validate ioctls for valid input length prima to
|
|
|
|
qcacld-2.0 propagation
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
Return failure to applications if ioctl is invoked with arguments
|
|
|
|
of improper length.
|
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
Bug: 27104184
|
|
|
|
Change-Id: I4459c5f39ca9c7a852772913578bd2122cb73879
|
2017-10-29 01:48:53 -04:00
|
|
|
---
|
2017-11-07 18:55:10 -05:00
|
|
|
.../staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 60 ++++++++++++++++++----
|
|
|
|
1 file changed, 49 insertions(+), 11 deletions(-)
|
2017-10-29 01:48:53 -04:00
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
|
|
|
|
index 005c193..9441a2a 100644
|
|
|
|
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
|
|
|
|
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
|
|
|
|
@@ -2151,7 +2151,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
|
|
|
u_int8_t *pos;
|
|
|
|
tpSap_WPSIE pSap_WPSIe;
|
|
|
|
u_int8_t WPSIeType;
|
|
|
|
- u_int16_t length;
|
|
|
|
+ u_int16_t length;
|
|
|
|
+ int ret = 0;
|
|
|
|
ENTER();
|
|
|
|
|
|
|
|
if (!capable(CAP_NET_ADMIN))
|
|
|
|
@@ -2183,8 +2184,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
case DOT11F_EID_WPA:
|
|
|
|
if (wps_genie[1] < 2 + 4)
|
|
|
|
{
|
|
|
|
- vos_mem_free(pSap_WPSIe);
|
|
|
|
- return -EINVAL;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
2017-10-29 01:48:53 -04:00
|
|
|
}
|
|
|
|
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
|
|
|
|
{
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2242,6 +2243,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
|
|
|
|
pos += length;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2256,8 +2262,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
default:
|
2017-11-07 18:55:10 -05:00
|
|
|
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
|
2017-10-29 01:48:53 -04:00
|
|
|
- vos_mem_free(pSap_WPSIe);
|
|
|
|
- return -EINVAL;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
2017-10-29 01:48:53 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2269,8 +2275,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
|
|
|
|
default:
|
|
|
|
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
|
|
|
|
- vos_mem_free(pSap_WPSIe);
|
|
|
|
- return 0;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
2017-10-29 01:48:53 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2282,8 +2288,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
case DOT11F_EID_WPA:
|
|
|
|
if (wps_genie[1] < 2 + 4)
|
|
|
|
{
|
|
|
|
- vos_mem_free(pSap_WPSIe);
|
|
|
|
- return -EINVAL;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
2017-10-29 01:48:53 -04:00
|
|
|
}
|
|
|
|
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
|
|
|
|
{
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2347,6 +2353,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
|
|
|
|
pos += length;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2356,6 +2367,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2366,6 +2382,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2375,6 +2396,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2384,6 +2410,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2394,7 +2425,6 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
|
|
|
|
hddLog(LOG1, "primary dev category: %d\n", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);
|
|
|
|
pos += 2;
|
|
|
|
-
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
|
|
|
|
hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x\n", pos[0], pos[1], pos[2], pos[3]);
|
|
|
|
pos += 4;
|
|
|
|
@@ -2407,6 +2437,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
pos += 2;
|
|
|
|
length = *pos<<8 | *(pos+1);
|
|
|
|
pos += 2;
|
2017-11-07 18:55:10 -05:00
|
|
|
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
|
|
|
|
+ {
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
2017-10-29 01:48:53 -04:00
|
|
|
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
|
|
|
|
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
|
|
|
|
pos += length;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2438,6 +2473,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
} // switch
|
|
|
|
}
|
|
|
|
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
|
|
|
|
+ if (halStatus != eHAL_STATUS_SUCCESS)
|
2017-11-07 18:55:10 -05:00
|
|
|
+ ret = -EINVAL;
|
2017-10-29 01:48:53 -04:00
|
|
|
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
|
|
|
|
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
|
|
|
|
{
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2446,9 +2483,10 @@ static int iw_softap_setwpsie(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
WLANSAP_Update_WpsIe ( pVosContext );
|
|
|
|
}
|
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
+ exit:
|
2017-10-29 01:48:53 -04:00
|
|
|
vos_mem_free(pSap_WPSIe);
|
|
|
|
EXIT();
|
|
|
|
- return halStatus;
|
|
|
|
+ return ret;
|
|
|
|
}
|
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
static int iw_softap_stopbss(struct net_device *dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|