DivestOS/Patches/Linux_CVEs/CVE-2017-0572/ANY/0.patch

61 lines
2.1 KiB
Diff
Raw Normal View History

From 3afb019c44d750086f8d5228f8c934da2910d8df Mon Sep 17 00:00:00 2001
From: gwx419604 <gwx419604@notesmail.huawei.com>
Date: Mon, 20 Mar 2017 15:11:22 +0800
Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
dhd_pno_process_anqpo_result
CVE-2017-0572
added boundary check not to overflow buffer
especially when input parameters manipulated.
Bug: 34198931
Change-Id: I39d7dc38a597a938d37dbd7bb267a7ff4df93e45
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: gwx419604 <gwx419604@notesmail.huawei.com>
---
drivers/net/wireless/bcmdhd/dhd_pno.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index f3f2a6f2e7aac..ab9bede10e30d 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3631,8 +3631,8 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
u32 bi_length = 0;
uint8 channel;
uint32 mem_needed;
-
struct timespec ts;
+ wl_event_gas_t *gas_data;
*size = 0;
@@ -3653,9 +3653,22 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
DHD_ERROR(("Invalid bss_info length %d: ignoring\n", bi_length));
goto exit;
}
- if (bi->SSID_len > DOT11_MAX_SSID_LEN) {
- DHD_ERROR(("Invalid SSID length %d: trimming it to max\n", bi->SSID_len));
- bi->SSID_len = DOT11_MAX_SSID_LEN;
+ if ((bi->SSID_len > DOT11_MAX_SSID_LEN)||
+ (bi->ie_length > (*size - sizeof(wl_bss_info_t))) ||
+ (bi->ie_offset < sizeof(wl_bss_info_t)) ||
+ (bi->ie_offset > (sizeof(wl_bss_info_t) + bi->ie_length))){
+ DHD_ERROR(("%s: tot:%d,SSID:%d,ie_len:%d,ie_off:%d\n",
+ __FUNCTION__, *size, bi->SSID_len,
+ bi->ie_length, bi->ie_offset));
+ return NULL;
+ }
+
+ gas_data = (wl_event_gas_t *)((uint8 *)data + bi->ie_offset + bi->ie_length);
+
+ if (gas_data->data_len > (*size - (bi->ie_offset + bi->ie_length))) {
+ DHD_ERROR(("%s: wrong gas_data_len:%d\n",
+ __FUNCTION__, gas_data->data_len));
+ return NULL;
}
mem_needed = OFFSETOF(wifi_gscan_result_t, ie_data) + bi->ie_length;