2017-11-07 17:32:46 -05:00
|
|
|
From f1081e78eff75ca665c662493736b17cb792b46d Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
|
|
|
Date: Mon, 28 Nov 2016 09:19:02 -0800
|
|
|
|
Subject: qcacld-2.0: Avoid overflow of roam subcmd params
|
|
|
|
|
|
|
|
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
|
|
|
|
command, for the following roam commands there are input validation
|
|
|
|
issues:
|
|
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
|
|
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
|
|
|
|
|
|
|
|
Both of these commands have a "number of BSSIDs" attribute as well as a
|
|
|
|
list of BSSIDs. However there is no validation that the number of
|
|
|
|
BSSIDs provided won't overflow the destination buffer. In addition
|
|
|
|
there is no validation that the number of BSSIDs actually provided
|
|
|
|
matches the number of BSSIDs expected.
|
|
|
|
|
|
|
|
To address these issues, for the above mentioned commands:
|
|
|
|
* Verify that the expected number of BSSIDs doesn't exceed the maximum
|
|
|
|
allowed number of BSSIDs
|
|
|
|
* Verify that the actual number of BSSIDs supplied doesn't exceed the
|
|
|
|
expected number of BSSIDs
|
|
|
|
* Only process the actual number of supplied BSSIDs if it is less than
|
|
|
|
the expected number of BSSIDs.
|
|
|
|
|
|
|
|
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
|
|
|
|
CRs-Fixed: 1092497
|
|
|
|
---
|
|
|
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
|
|
|
|
1 file changed, 37 insertions(+), 6 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
|
|
index b3c265c..800d123 100644
|
|
|
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
|
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
|
|
@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
|
|
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
|
|
|
|
int rem, i;
|
|
|
|
uint32_t buf_len = 0;
|
|
|
|
+ uint32_t count;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (VOS_FTM_MODE == hdd_get_conparam()) {
|
|
|
|
@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
|
|
hddLog(LOGE, FL("attr num of preferred bssid failed"));
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
- roam_params.num_bssid_favored = nla_get_u32(
|
|
|
|
+ count = nla_get_u32(
|
|
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
|
|
|
|
+ if (count > MAX_BSSID_FAVORED) {
|
|
|
|
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
|
|
|
|
+ count, MAX_BSSID_FAVORED);
|
|
|
|
+ goto fail;
|
|
|
|
+ }
|
|
|
|
hddLog(VOS_TRACE_LEVEL_DEBUG,
|
|
|
|
- FL("Num of Preferred BSSID (%d)"),
|
|
|
|
- roam_params.num_bssid_favored);
|
|
|
|
+ FL("Num of Preferred BSSID: %d"), count);
|
|
|
|
i = 0;
|
|
|
|
nla_for_each_nested(curr_attr,
|
|
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
|
|
|
|
rem) {
|
|
|
|
+
|
|
|
|
+ if (i == count) {
|
|
|
|
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (nla_parse(tb2,
|
|
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
|
|
@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
|
|
roam_params.bssid_favored_factor[i]);
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
+ if (i < count)
|
|
|
|
+ hddLog(LOGW,
|
|
|
|
+ FL("Num Preferred BSSID %u less than expected %u"),
|
|
|
|
+ i, count);
|
|
|
|
+ roam_params.num_bssid_favored = i;
|
|
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
|
|
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
|
|
|
|
break;
|
|
|
|
@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
|
|
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
- roam_params.num_bssid_avoid_list = nla_get_u32(
|
|
|
|
+ count = nla_get_u32(
|
|
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
|
|
|
|
+ if (count > MAX_BSSID_AVOID_LIST) {
|
|
|
|
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
|
|
|
|
+ count, MAX_BSSID_AVOID_LIST);
|
|
|
|
+ goto fail;
|
|
|
|
+ }
|
|
|
|
hddLog(VOS_TRACE_LEVEL_DEBUG,
|
|
|
|
- FL("Num of blacklist BSSID (%d)"),
|
|
|
|
- roam_params.num_bssid_avoid_list);
|
|
|
|
+ FL("Num of blacklist BSSID: %d"), count);
|
|
|
|
i = 0;
|
|
|
|
nla_for_each_nested(curr_attr,
|
|
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
|
|
|
|
rem) {
|
|
|
|
+
|
|
|
|
+ if (i == count) {
|
|
|
|
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (nla_parse(tb2,
|
|
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
|
|
@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
|
|
roam_params.bssid_avoid_list[i]));
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
+ if (i < count)
|
|
|
|
+ hddLog(LOGW,
|
|
|
|
+ FL("Num Blacklist BSSID %u less than expected %u"),
|
|
|
|
+ i, count);
|
|
|
|
+ roam_params.num_bssid_avoid_list = i;
|
|
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
|
|
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
|
|
|
|
break;
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|