mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-17 10:27:26 -05:00
88 lines
4.1 KiB
Diff
88 lines
4.1 KiB
Diff
|
From 7dff4291c6aecad9143b8fc2c0769f818834c33a Mon Sep 17 00:00:00 2001
|
||
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
||
|
Date: Thu, 15 Jun 2017 10:51:02 -0700
|
||
|
Subject: [PATCH] qcacld-2.0: Avoid overread when configuring MAC addresses
|
||
|
|
||
|
Currently there are multiple cfg80211 vendor commands where MAC
|
||
|
address attributes are defined in a nla_policy table with a type of
|
||
|
NLA_UNSPEC but without a minimum length. Add the proper minimum length
|
||
|
to avoid buffer overread.
|
||
|
|
||
|
Bug: 37713609
|
||
|
Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
|
||
|
CRs-Fixed: 2061251
|
||
|
Signed-off-by: Ecco Park <eccopark@google.com>
|
||
|
---
|
||
|
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 24 +++++++++++++++-------
|
||
|
1 file changed, 17 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
index 6849a6c82f821..94b161e37a59a 100644
|
||
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
@@ -833,7 +833,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_FLUSH] = { .type = NLA_U8 },
|
||
|
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX] = { .type = NLA_U32 },
|
||
|
- [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = { .type = NLA_UNSPEC },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = {
|
||
|
+ .type = NLA_UNSPEC,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_CHANNEL] = { .type = NLA_U32 },
|
||
|
@@ -6742,7 +6744,9 @@ int wlan_hdd_send_roam_auth_event(hdd_context_t *hdd_ctx_ptr, uint8_t *bssid,
|
||
|
static const struct nla_policy
|
||
|
wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
|
||
|
{
|
||
|
- [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {
|
||
|
+ .type = NLA_UNSPEC,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_CHANNEL] = {.type = NLA_S32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_GLOBAL_OPERATING_CLASS] =
|
||
|
{.type = NLA_S32 },
|
||
|
@@ -6754,15 +6758,18 @@ wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
|
||
|
static const struct nla_policy
|
||
|
wlan_hdd_tdls_config_disable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAX +1] =
|
||
|
{
|
||
|
- [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
|
||
|
-
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {
|
||
|
+ .type = NLA_UNSPEC,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
};
|
||
|
|
||
|
static const struct nla_policy
|
||
|
wlan_hdd_tdls_config_state_change_policy[
|
||
|
QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAX +1] =
|
||
|
{
|
||
|
- [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {.type = NLA_UNSPEC },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {
|
||
|
+ .type = NLA_UNSPEC,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_NEW_STATE] = {.type = NLA_U32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_STATE_REASON] = {.type = NLA_S32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_STATE_CHANNEL] = {.type = NLA_U32 },
|
||
|
@@ -6775,7 +6782,9 @@ static const struct nla_policy
|
||
|
wlan_hdd_tdls_config_get_status_policy[
|
||
|
QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAX +1] =
|
||
|
{
|
||
|
- [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {.type = NLA_UNSPEC },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {
|
||
|
+ .type = NLA_UNSPEC,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_STATE] = {.type = NLA_U32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_REASON] = {.type = NLA_S32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_CHANNEL] = {.type = NLA_U32 },
|
||
|
@@ -8493,7 +8502,8 @@ static const struct
|
||
|
nla_policy
|
||
|
qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
|
||
|
[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
|
||
|
- .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
|
||
|
+ .type = NLA_BINARY,
|
||
|
+ .len = HDD_MAC_ADDR_LEN},
|
||
|
};
|
||
|
|
||
|
/**
|