DivestOS/Patches/Linux_CVEs/CVE-2016-0806/prima/0012.patch

190 lines
8.0 KiB
Diff
Raw Normal View History

2017-11-07 18:55:10 -05:00
From 72d3908cc1bcb075015f1b86001f4292ac41d38a Mon Sep 17 00:00:00 2001
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
2017-11-07 18:55:10 -05:00
Date: Wed, 13 Apr 2016 09:19:31 -0700
Subject: qcacld 2.0: Validate ioctls for valid input length prima to
qcacld-2.0 propagation
Return failure to applications if ioctl is invoked with arguments
of improper length.
2017-11-07 18:55:10 -05:00
Bug: 27104184
Change-Id: I4459c5f39ca9c7a852772913578bd2122cb73879
---
2017-11-07 18:55:10 -05:00
.../staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 60 ++++++++++++++++++----
1 file changed, 49 insertions(+), 11 deletions(-)
2017-11-07 18:55:10 -05:00
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
index 005c193..9441a2a 100644
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -2151,7 +2151,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
u_int8_t *pos;
tpSap_WPSIE pSap_WPSIe;
u_int8_t WPSIeType;
- u_int16_t length;
+ u_int16_t length;
+ int ret = 0;
ENTER();
if (!capable(CAP_NET_ADMIN))
@@ -2183,8 +2184,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- return -EINVAL;
2017-11-07 18:55:10 -05:00
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
2017-11-07 18:55:10 -05:00
@@ -2242,6 +2243,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
pos += length;
2017-11-07 18:55:10 -05:00
@@ -2256,8 +2262,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
default:
2017-11-07 18:55:10 -05:00
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
- vos_mem_free(pSap_WPSIe);
- return -EINVAL;
2017-11-07 18:55:10 -05:00
+ ret = -EINVAL;
+ goto exit;
}
}
}
2017-11-07 18:55:10 -05:00
@@ -2269,8 +2275,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
default:
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
- vos_mem_free(pSap_WPSIe);
- return 0;
2017-11-07 18:55:10 -05:00
+ ret = -EINVAL;
+ goto exit;
}
}
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
2017-11-07 18:55:10 -05:00
@@ -2282,8 +2288,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- return -EINVAL;
2017-11-07 18:55:10 -05:00
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
2017-11-07 18:55:10 -05:00
@@ -2347,6 +2353,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
pos += length;
2017-11-07 18:55:10 -05:00
@@ -2356,6 +2367,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
2017-11-07 18:55:10 -05:00
@@ -2366,6 +2382,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
2017-11-07 18:55:10 -05:00
@@ -2375,6 +2396,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
2017-11-07 18:55:10 -05:00
@@ -2384,6 +2410,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
2017-11-07 18:55:10 -05:00
@@ -2394,7 +2425,6 @@ static int iw_softap_setwpsie(struct net_device *dev,
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
hddLog(LOG1, "primary dev category: %d\n", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);
pos += 2;
-
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x\n", pos[0], pos[1], pos[2], pos[3]);
pos += 4;
@@ -2407,6 +2437,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
2017-11-07 18:55:10 -05:00
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
pos += length;
2017-11-07 18:55:10 -05:00
@@ -2438,6 +2473,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
} // switch
}
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
+ if (halStatus != eHAL_STATUS_SUCCESS)
2017-11-07 18:55:10 -05:00
+ ret = -EINVAL;
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
{
2017-11-07 18:55:10 -05:00
@@ -2446,9 +2483,10 @@ static int iw_softap_setwpsie(struct net_device *dev,
WLANSAP_Update_WpsIe ( pVosContext );
}
2017-11-07 18:55:10 -05:00
+ exit:
vos_mem_free(pSap_WPSIe);
EXIT();
- return halStatus;
+ return ret;
}
2017-11-07 18:55:10 -05:00
static int iw_softap_stopbss(struct net_device *dev,
--
cgit v1.1